Step 1 — Creating a New User
adduser sammyfiles
Step 2 — Creating a Directory for File Transfers
There are a number of ways to work around this ownership issue. In this tutorial, we’ll create and use /var/sftp/uploads
as the target upload directory. /var/sftp
will be owned by root and will be unwritable by other users; the subdirectory /var/sftp/uploads
will be owned by sammyfiles, so that user will be able to upload files to it.
First, create the directories.
mkdir -p /var/sftp/uploads
Set the owner of /var/sftp
to root.
chown root:root /var/sftp
Give root write permissions to the same directory, and give other users only read and execute rights.
chmod 755 /var/sftp
Change the ownership on the uploads
directory to sammyfiles.
chown sammyfiles:sammyfiles /var/sftp/uploads
Step 3 — Restricting Access to One Directory
nano /etc/ssh/sshd_config
Scroll to the very bottom of the file and append the following configuration snippet:
. . .
Match User sammyfiles
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Then save and close the file.
Here’s what each of those directives do:
Match User
tells the SSH server to apply the following commands only to the user specified. Here, we specify sammyfiles.ForceCommand internal-sftp
forces the SSH server to run the SFTP server upon login, disallowing shell access.PasswordAuthentication yes
allows password authentication for this user.ChrootDirectory /var/sftp/
ensures that the user will not be allowed access to anything beyond the /var/sftp
directory. You can learn more about chroot in this chroot tutorial.AllowAgentForwarding no
, AllowTcpForwarding no
. and X11Forwarding no
disables port forwarding, tunneling and X11 forwarding for this user.
This set of commands, starting with Match User
, can be copied and repeated for different users too. Make sure to modify the username in the Match User
line accordingly.
To apply the configuration changes, restart the service.
systemctl restart sshd
You have now configured the SSH server to restrict access to file transfer only for sammyfiles. The last step is testing the configuration to make sure it works as intended.
Step 4 — Verifying the Configuration
Let’s ensure that our new sammyfiles user can only transfer files.
Logging in to the server as sammyfiles using normal shell access should no longer be possible.
Share your thoughts