Introduction
This tutorial will help you to create an SFTP-only user (without SSH access) on CentOS and RedHat systems. The user can connect to the server with SFTP access only, and is only allowed to access the specified directory. The user cannot SSH into the server. Follow the below tutorial to create this SFTP-only account.
Prerequisites
To follow this tutorial, make sure you are logged into your server with a sudo user.
Step 1 - Create a New User
First, create a new user who will be granted only file transfer access to the server. Here, we're using the username mysftp, but you can use any username you like.
adduser mysftpNext, assign a password to the new user:
passwd mysftpEnter a strong password, and repeat it again to verify it.
You have now created a new user that will be granted access to the restricted directory. In the next step we will create the directory for file transfers and set up the necessary permissions.
Step 2 - Create a Directory for File Transfers
Once our user is created, the next step is to create the directory where SFTP will act, preventing access and this must be configured with specific parameters.
We will create a directory called /var/sftp/uploads in which the /var/sftp is part of the root user, and no other user will have the current permissions, and in the subdirectory /var/sftp/uploads the owner will be the new user access. We create the directory using the following line:
mkdir -p /var/sftp/uploadsSet the owner of /var/sftp to root.
chown root:root /var/sftpGive root write permissions to the same directory, and give other users only read and execute rights.
chmod 755 /var/sftpChange the ownership on the uploads directory to mysftp.
chown mysftp:mysftp /var/sftp/uploadsStep 3 - Restrict Directory Access
In this step we will restrict access via the terminal to the user, but allow the transfer of files.
Open the SSH server configuration file with vi or your favourite text editor:
vi /etc/ssh/sshd_configScroll to the very bottom of the file and append the following configuration snippet:
Match User mysftp
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding noSave and quit:
:wqExecute the following command to apply the changes in SSH:
systemctl restart sshdStep 4 - Verify SSH Connection
Let's ensure that our new mysftp user can only transfer files.
Logging in to the server as mysftp using normal shell access should no longer be possible. Let's try it:
ssh mysftp@localhostYou'll see the following message before being returned to your original prompt:
This service allows sftp connections only.
Connection to localhost closed.This means that mysftp can no longer access the server shell using SSH.
Next, let's verify if the user can successfully access SFTP for file transfer.
sftp mysftp@localhostInstead of an error message, this command will show a successful login message with an interactive prompt.
Connected to localhost.
sftp>You can list the directory contents using ls in the prompt:
sftp> lsThis will show the uploads directory that was created in the previous step and return you to the sftp> prompt.
uploadsConclusion
You've created and restricted a user to SFTP-only access to a single directory on a server without giving them full shell access. While this tutorial uses only one directory and one user for brevity, you can extend this example to multiple users and multiple directories.