SFTP stands for “SSH File Transfer Protocol.” SFTP is a file transfer protocol used to transfer files between two servers. By default, SFTP allows you to transfer files on all servers that have SSH access enabled. However, it will grant terminal access to all users and this is not recommended for security reasons.
In this tutorial, we will learn how to create an SFTP user without shell access so that the user has only SFTP access and not SSH access.
Step 1 – Create an SFTP User
First, you will need to create a new user with only file transfer access. You can create a new user named sftp using the following command:
adduser sftp
Next, set the password for the above user:
passwd sftp
Provide your desired password and hit enter.
Step 2 – Create a Directory Structure for File Transfers
Next, you will need to create a directory structure for file transfer to restrict SFTP access to one directory.
You can create a new directory with the following command:
mkdir -p /opt/sftp/public
Next, set the ownership of the /opt/sftp/ directory to root:
chown root:root /opt/sftp
Next, give proper permissions with the following command:
chmod 755 /opt/sftp
Next, set the ownership of the public directory to the sftp user:
chown sftp:sftp /opt/sftp/public
Step 3 – Configure SSH for SFTP
Next, you will need to configure SSH to restrict access to one directory and disallow terminal access to the sftp user.
You can do it by editing the file /etc/ssh/sshd_config:
nano /etc/ssh/sshd_config
Add the following lines at the end of the file:
Match User sftp ForceCommand internal-sftp PasswordAuthentication yes ChrootDirectory /opt/sftp PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
Save and close the file when you are finished. Then, restart the SSH service to implement the changes:
systemctl restart sshd
Step 4 – Verify SFTP
Now, verify the SFTP access with the following command:
sftp sftp@your-server-ip
You will be asked to provide a password as shown below:
sftp@your-server-ip's password:
Provide your sftp user password and hit Enter. Once connected, you should see the following output:
Connected to your-server-ip. sftp>
Next, run the following command to list the directory:
sftp> ls
You should see the public directory in the following output:
public sftp>
Next, verify whether you are able to make SSH connection or not:
ssh sftp@your-server-ip
You will be asked to provide a password as shown below:
sftp@your-server-ip's password:
Provide your sftp user password and hit Enter. You should see the following output:
This service allows sftp connections only. Connection to your-server-ip closed.
The above output indicates that sftp user can no longer access the server shell via SSH.
Conclusion
Congratulations! You have successfully configured SFTP without shell access on CentOS 8. You can also use this setup for multiple users and directory. Get started with SFTP today on a VPS from Atlantic.Net!