How to Create and Restrict sFTP Users in Ubuntu Linux

ubuntu 3344434 640
ubuntu 3344434 640

This brief tutorial shows students and new users how to create sFTP users in Ubuntu Linux and other distributions.

sFTP or Secure File Transfer Protocol is a secure file transfer protocol that runs on top of SSH. It is used to access, manage, and transfer files over an encrypted SSH transport session.

If you want to provide file access via FTP, you should use sFTP instead for better security. You’ll also need to create a user account to access and manage the files on the sFTP host.

While the sFTP protocol is secured, if the user account isn’t provisioned properly, it can leave your server open to vulnerabilities.

Below are some steps that can help you protect your server so that sFTP users can’t access more than only their files.

To create sFTP only user account in Linux, follow the steps below:

Create a user account

The goal of this tutorial is to create an sFTP account that will only be used to access files and nothing more. This will make sure your server isn’t vulnerable to other threats.

Run the account below to create an sFTP-only account called sftpuser. You can name the user any name you want. For this tutorial, we’re going to be using sftpuser.

sudo adduser --shell /bin/false sftpuser 

When prompted, type a password and other account details.

Adding user `sftpuser' .
Adding new group `sftpuser' (1001) .
Adding new user `sftpuser' (1001) with group `sftpuser' .
Creating home directory `/home/sftpuser' .
Copying files from `/etc/skel' .
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for sftpuser
Enter the new value, or press ENTER for the default
	Full Name []: sFTP User
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] y

The above account will be created without shell access. This means the user will not be able to log on to the server like a normal user.

Create a home directory

Now that the account above is created, create an sFTP home directory for the account. You can do that by running the commands below.

sudo mkdir -p /var/sftp/downloads 

Now we’ll want to restrict the user to only accessing the /var/sftp/downloads folder. The user will be able to download and add to that location.

sudo chown sftpuser:sftpuser /var/sftp/downloads
sudo chown root:root /var/sftp
sudo chmod 755 /var/sftp

Configure SSH

Now that the user account is, configure the SSH server to provide restrictive access. If you don’t already have SSH Server installed, run the commands below to install it.

sudo apt update
sudo apt install openssh-server

By default, SSH main configuration file is at /etc/ssh/sshd_config

Run the commands below to open the SSH configuration file.

sudo nano /etc/ssh/sshd_config 

At the end of the SSH config file, copy and paste the lines below and save.

Match User sftpuser
	ForceCommand internal-sftp
	PasswordAuthentication yes
	ChrootDirectory /var/sftp
	PermitTunnel no
	AllowAgentForwarding no
	AllowTcpForwarding no
	X11Forwarding no

Save the file and exit.

Below are descriptions of the config options above:

  • Match User: Match the user sftpuser
  • ForceCommand internal-sftp: enforce the SFTP only access with no shell.
  • PasswordAuthentication yes:  allows password authentication for the user.
  • ChrootDirectory /var/sftp: restrict access to directories in /var/sftp.
  • AllowAgentForwarding no: no ssh-agent forwarding is permitted.
  • AllowTcpForwarding no TCP forwarding is permitted.
  • X11Forwarding no graphical application is permitted.

Restart the SSH server to apply the changes.

sudo systemctl restart sshd

That should do it. The user should be able to connect to the server via sFTP and access the downloads folder only.


This post showed you how to create and restrict an sFTP user account in Linux. If you find any error above, please use the comment form below to report.

You may also like the post below:

Posted by
Richard W

I love computers; maybe way too much. What I learned I try to share at

1 Comment

  1. Juan Jose Gaytan

    Excellent! this post was very very helpful. I would like to note that the correct command to restart the SSH daemon is
    sudo systemctl restart sshd

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: