Setup SFTP-only User Accounts on CentOS

The SSH File Transfer Protocol (also Secure File Transfer Protocol, or SFTP) is a network protocol that provides file access, file transfer, and file management over any reliable data stream. It was designed by the Internet Engineering Task Force (IETF) as an extension of the Secure Shell protocol (SSH) version 2.0 to provide secure file 

transfer capabilities. The IETF Internet Draft states that, even though this protocol is described in the context of the SSH-2 protocol, it could be used in a number of different applications, such as secure file transfer over Transport Layer Security (TLS) and transfer of management information in VPN applications.
Step 1: Create a dedicated sFTP group and a dedicated sFTP user
groupadd sftpusers
useradd -G sftpusers -s /sbin/nologin user1
passwd user1
Here, the group sftpusers is a dedicated sFTP group, the user user1 is a dedicated sFTP user which is forbidden to log in using SSH.
Step 2: Modify the configuration of the sshd service
Open the configuration file of the sshd service:
vi /etc/ssh/sshd_config
Find the line:
Subsystem sftp /usr/libexec/openssh/sftp-server
Replace it with:
Subsystem sftp internal-sftp
Append the following lines to the end of the file. The group name sftpusers should be the same as the one you specified earlier.
Match Group sftpusers
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp
Save and quit: use :wq
Restart the sshd service to put your changes into effect.
systemctl restart sshd.service
Step 3: Create a dedicated directory for the sFTP-only user
You need to specify a directory for the sFTP-only user and make sure that this user can only play around in this directory:
chown -R root /home/user1
chmod -R 755 /home/user1
mkdir /home/user1/files
chown user1. /home/user1/files
Now, the user user1 can only upload and/or download files in the directory /home/user1/files, he or she can never touch other users' files.
Step 4: Create more sFTP-only users
If you need more sFTP-only users, you can create them in the same fashion:
useradd -G sftpusers -s /sbin/nologin user2
passwd user2
chown -R root /home/user2
chmod -R 755 /home/user2
mkdir /home/user2/files
chown user2. /home/user2/files
That's it. Each user account created in this fashion will be denied if you use it to log in the system. These user accounts can be used only in sFTP programs.

About Author:

I am a Linux Administrator and Security Expert with this site i can help lot's of people about linux knowladge and as per security expert i also intersted about hacking related news.TwitterFacebook

Newer Post
Older Post


Post a Comment