Article

Table of Contents
Theme:
Was this article helpful?

2  out of  4 found this helpful

Try Vultr Today with

$50 Free on Us!

Want to contribute?

You could earn up to $600 by adding new articles.

Setup SFTP-only User Accounts on CentOS 7

Last Updated: Wed, Feb 10, 2016
CentOS Linux Guides System Admin

On certain occasions, a Systems Administrator may need to create a user account and restrict their access to only manage their own files via sFTP, but not be able to login to the system using any other means. The solution introduced in this article will show you how to accomplish this task.

Prerequisites

To get hands-on experience, you need to deploy a Vultr CentOS 7 x64 server instance. Please note that the instructions for other Linux distributions may be different.

Additionally, all commands in this article are suitable for the root; as such, you would need sudo privileges if you are using a non-root user.

Step 1: Create a dedicated sFTP group and a dedicated sFTP user

groupadd sftpusers

useradd -g sftpusers -s /sbin/nologin user1

passwd user1

Here, the group sftpusers is a dedicated sFTP group, the user user1 is a dedicated sFTP user which is forbidden to log in using SSH.

Step 2: Modify the configuration of the sshd service

Open the configuration file of the sshd service:

vi /etc/ssh/sshd_config

Find the line:

Subsystem sftp /usr/libexec/openssh/sftp-server

Replace it with:

Subsystem sftp internal-sftp

Append the following lines to the end of the file. The group name sftpusers should be the same as the one you specified earlier.

Match Group sftpusers

X11Forwarding no

AllowTcpForwarding no

ChrootDirectory %h

ForceCommand internal-sftp

Save and quit:

:wq

Restart the sshd service to put your changes into effect.

systemctl restart sshd.service

Step 3: Create a dedicated directory for the sFTP-only user

You need to specify a directory for the sFTP-only user and make sure that this user can only play around in this directory:

chown -R root /home/user1

chmod -R 755 /home/user1

mkdir /home/user1/files

chown user1. /home/user1/files

Now, the user user1 can only upload and/or download files in the directory /home/user1/files, he or she can never touch other users' files.

Step 4: Create more sFTP-only users

If you need more sFTP-only users, you can create them in the same fashion:

useradd -g sftpusers -s /sbin/nologin user2

passwd user2

chown -R root /home/user2

chmod -R 755 /home/user2

mkdir /home/user2/files

chown user2. /home/user2/files

That's it. Each user account created in this fashion will be denied if you use it to log in the system. These user accounts can be used only in sFTP programs.

Want to contribute?

You could earn up to $600 by adding new articles.