Site icon Aditya Mittal Inc.

How to set-up SFTP without SSH access for a user

How to set-up SFTP without SSH access for a user

Most of the time, System Administrators don’t want to allow users to access the SFTP server through SSH (Secure Shell) protocol to increase security. Therefore, such an issue can be fixed by using SFTP Chroot Jail as an alternative.

SFTP (SSH File Transfer Protocol) is enabled by default and we don’t need any additional configuration to activate it. If you create an account and enable SSH access for the user, they will have SFTP access to the server as well.

We can follow these steps to limit the Access of the SFTP users by disabling SSH access as well as restricting the access to a single directory for the user:

Step 1: Create a New SFTP Group

Create a new group for SFTP users. This will help you to restrict the SFTP chroot environment for the users who belong to this group.

# sudo groupadd sftp-group

Step 2: Create a New User

You can either create a new user or use an existing user. Once the user is created, add them to the group that was created in Step 1. Also, set up a password for the newly created user.

# useradd -g sftp-group new-user
# passwd new-user

verify
# groups new-user

Step 3: Create a New Directory for SFTP users

You can set-up a new directory so that you can restrict SFTP access for all the users to a single directory. However, if you want to use an existing directory, you can skip this step.

# mkdir /sftp

Once the new directory is setup, you can create separate directories for each SFTP user within the /sftp directory:

# mkdir /sftp/new-user-dir

So, in the above command, we setup a new directory for a new-user which is named as new-user-dir.

Step 4: Setup Appropriate Directory Permissions and Ownership

The permissions for the directory are very important otherwise the users will not have proper access to their personal SFTP directory.

Firstly, change the group ownership of the /sftp directory to the sftp-group and set the permissions for the group to read and execute.

# sudo chown root:sftp-group /sftp
# sudo chmod 755 /sftp
# ls -l | grep sftp

Secondly, each user should have full permissions to their own directory. So, you can change the ownership and set the permissions of each user directory as follows:

# sudo chown new-user:sftp-group /sftp/new-user-dir
# sudo chmod 711 /sftp/new-user-dir

Changing the permission of the directory to 711 helps the new-user to have read & write access to new-user-dir. However, no one else in the sftp-group will have access to that directory.

Similarly, you can create individual directories for each SFTP user.

Step 5: Restrict SFTP Access to Single Directory

This is the most important step. If you already have existing users and groups that are already setup for SFTP access, you don’t need to follow the above-mentioned steps. You can directly implement Step 5.

In this step, we will disable SSH access for the users as well as restrict their access to /sftp directory. This will ensure that the users are not allowed to go beyond /sftp directory.

Open the sshd_config file by running this command:

# sudo nano /etc/ssh/sshd_config

Add the following commands at the end of the sshd_config file:

Match Group sftp-group
     ChrootDirectory /sftp
     ForceCommand internal-sftp
  1. Match Group: This command helps the SSH server to identify a particular group.
  2. ForceCommand internal-sftp: It forces the SSH server to run SFTP server upon login. Therefore, the user cannot SSH into the server.
  3. ChrootDirectory /sftp: It ensures that the users will not be able to access anything beyond this directory. Therefore, users are restricted to one directory.

Save the sshd_config file and restart the sshd service:

sudo systemctl restart sshd

Verify the Setup

Now it time to test you setup. You can try to SSH into the server using the newly created new-user:

# ssh new-user@localhost

Error Message:
This service allows sftp connections only.
Connection to localhost closed.

Therefore, new-user is not allowed to SSH into the system.

Furthermore, you can verify the SFTP access for the new-user:

# sftp new-user@localhost

SFTP prompt
Connected to localhost.
sftp>

You will notice that the users’ root directory is /sftp and they cannot go beyond that directory.

Summary

You have successfully restricted the user to SFTP access only. Moreover, user can access a single directory as mentioned in sshd_config file.

In order to demonstrate the Linux images, we have utilized a third-party website. You can use it to practice your Linux skills

Exit mobile version