Posted on by admin

Adding an sftp-only account

An sftp-only account is a special type of Linux account where the user :

  • can not login to the Linux shell
  • can only connect via the sftp protocole
  • in sftp, the user can only browse his own home directory
  • the user does not own his own home directory and cannot write to it
  • the user can only write to directories underneath the home direcotry

To create the sftp user called sarah, the administrator logs in into the server and types the following commands (The following information has been taken from this link) :

Server preparation

The following preparation needs to be done only once. It has already done and does not need to be done again unless the server has been reinstalled for some reason.

In the file /etc/ssh/sshd_config, make sure the sftp subservice is defined with the line:
Subsystem sftp /usr/lib/openssh/sftp-server

Add the following lines at the end of the same file :
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

Then on the linux shell, create the sftp group

sudo addgroup sftp

Creating the sftp user and set its properties

The commands below need to be typed for each sftp user:
sudo adduser sarah
sudo usermod -G sftp sarah
sudo usermod -s /bin/false sarah
sudo chown root:root /home/sarah
sudo chmod 0755 /home/sarah
sudo usermod -G sftp sarah
sudo mkdir /home/sarah/Data
sudo chown -R sarah:sarah /home/sarah/Data

The usermod command above will add user sarah to the sftp group and set their shell to /bin/false so they absolutely cannot ever get shell access. The chown and chmod commands will set the required permissions for the directory. With these permissions set, the user will be allowed to upload and download files, but cannot create directories or files in the root directory. In other words, if this is used for Web hosting, ensure that a subdirectory in the root directory, such as /home/sarah/public_html/ is available and owned by the user; this way they can write to and create directories in /home/sarah/Data, but cannot make changes to the root directory (/home/sarah), itself.

Leave a Reply