This brief tutorial shows students and new users how to create sFTP users in Ubuntu Linux and other distributions.
sFTP or Secure File Transfer Protocol is a secure file transfer protocol that runs on top of SSH. It is used to access, manage, and transfer files over an encrypted SSH transport session.
If you want to provide file access via FTP, you should use sFTP instead for better security. You’ll also need to create a user account to access and manage the files on the sFTP host.
While the sFTP protocol is secured, if the user account isn’t provisioned properly, it can leave your server open to vulnerabilities.
Below are some steps that can help you protect your server so that sFTP users can’t access more than only their files.
To create sFTP only user account in Linux, follow the steps below:
Create a user account
The goal of this tutorial is to create an sFTP account that will only be used to access files and nothing more. This will make sure your server isn’t vulnerable to other threats.
Run the account below to create an sFTP-only account called sftpuser. You can name the user any name you want. For this tutorial, we’re going to be using sftpuser.
sudo adduser --shell /bin/false sftpuser
When prompted, type a password and other account details.
Adding user `sftpuser' . Adding new group `sftpuser' (1001) . Adding new user `sftpuser' (1001) with group `sftpuser' . Creating home directory `/home/sftpuser' . Copying files from `/etc/skel' . New password: Retype new password: passwd: password updated successfully Changing the user information for sftpuser Enter the new value, or press ENTER for the default Full Name : sFTP User Room Number : Work Phone : Home Phone : Other : Is the information correct? [Y/n] y
The above account will be created without shell access. This means the user will not be able to log on to the server like a normal user.
Create a home directory
Now that the account above is created, create an sFTP home directory for the account. You can do that by running the commands below.
sudo mkdir -p /var/sftp/downloads
Now we’ll want to restrict the user to only accessing the /var/sftp/downloads folder. The user will be able to download and add to that location.
sudo chown sftpuser:sftpuser /var/sftp/downloads sudo chown root:root /var/sftp sudo chmod 755 /var/sftp
Now that the user account is, configure the SSH server to provide restrictive access. If you don’t already have SSH Server installed, run the commands below to install it.
sudo apt update sudo apt install openssh-server
By default, SSH main configuration file is at /etc/ssh/sshd_config
Run the commands below to open the SSH configuration file.
sudo nano /etc/ssh/sshd_config
At the end of the SSH config file, copy and paste the lines below and save.
Match User sftpuser ForceCommand internal-sftp PasswordAuthentication yes ChrootDirectory /var/sftp PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
Save the file and exit.
Below are descriptions of the config options above:
- Match User: Match the user sftpuser
- ForceCommand internal-sftp: enforce the SFTP only access with no shell.
- PasswordAuthentication yes: allows password authentication for the user.
- ChrootDirectory /var/sftp: restrict access to directories in /var/sftp.
- AllowAgentForwarding no: no ssh-agent forwarding is permitted.
- AllowTcpForwarding no TCP forwarding is permitted.
- X11Forwarding no graphical application is permitted.
Restart the SSH server to apply the changes.
sudo systemctl restart sshd
That should do it. The user should be able to connect to the server via sFTP and access the downloads folder only.
This post showed you how to create and restrict an sFTP user account in Linux. If you find any error above, please use the comment form below to report.
You may also like the post below:
Excellent! this post was very very helpful. I would like to note that the correct command to restart the SSH daemon is
sudo systemctl restart sshd