How to add an SFTP-only user (without allowing SSH access) on CentOS 7

Introduction

This tutorial will help you to create an SFTP-only user (without SSH access) on CentOS and RedHat systems. The user can connect to the server with SFTP access only, and is only allowed to access the specified directory. The user cannot SSH into the server. Follow the below tutorial to create this SFTP-only account.

Prerequisites

To follow this tutorial, make sure you are logged into your server with a sudo user.

Step 1 - Create a New User

First, create a new user who will be granted only file transfer access to the server. Here, we're using the username mysftp, but you can use any username you like.

adduser mysftp

Next, assign a password to the new user:

passwd mysftp

Enter a strong password, and repeat it again to verify it.

You have now created a new user that will be granted access to the restricted directory. In the next step we will create the directory for file transfers and set up the necessary permissions.

Step 2 - Create a Directory for File Transfers

Once our user is created, the next step is to create the directory where SFTP will act, preventing access and this must be configured with specific parameters.

We will create a directory called /var/sftp/uploads in which the /var/sftp is part of the root user, and no other user will have the current permissions, and in the subdirectory /var/sftp/uploads the owner will be the new user access. We create the directory using the following line:

mkdir -p /var/sftp/uploads

Set the owner of /var/sftp to root.

chown root:root /var/sftp

Give root write permissions to the same directory, and give other users only read and execute rights.

chmod 755 /var/sftp

Change the ownership on the uploads directory to mysftp.

chown mysftp:mysftp /var/sftp/uploads

Step 3 - Restrict Directory Access

In this step we will restrict access via the terminal to the user, but allow the transfer of files.

Open the SSH server configuration file with vi or your favourite text editor:

vi /etc/ssh/sshd_config

Scroll to the very bottom of the file and append the following configuration snippet:

Match User mysftp
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

Save and quit:

:wq

Execute the following command to apply the changes in SSH:

systemctl restart sshd

Step 4 - Verify SSH Connection

Let's ensure that our new mysftp user can only transfer files.

Logging in to the server as mysftp using normal shell access should no longer be possible. Let's try it:

ssh mysftp@localhost

You'll see the following message before being returned to your original prompt:

This service allows sftp connections only.
Connection to localhost closed.

This means that mysftp can no longer access the server shell using SSH.

Next, let's verify if the user can successfully access SFTP for file transfer.

sftp mysftp@localhost

Instead of an error message, this command will show a successful login message with an interactive prompt.

Connected to localhost.
sftp>

You can list the directory contents using ls in the prompt:

sftp> ls

This will show the uploads directory that was created in the previous step and return you to the sftp> prompt.

uploads

Conclusion

You've created and restricted a user to SFTP-only access to a single directory on a server without giving them full shell access. While this tutorial uses only one directory and one user for brevity, you can extend this example to multiple users and multiple directories.

License: MIT