How To Enable SFTP Without Shell Access?
Enabling SFTP without shell access provides a secure way to manage file transfers while preventing full command-line access. In this guide, you’ll learn step-by-step how to enable SFTP without shell access to improve security on your server.
SFTP, or SSH File Transfer Protocol, is a secure method of transferring files over a network, using an encrypted SSH connection. Unlike FTP, which transmits data in plain text, SFTP ensures that file transfers are safe and protected. However, traditional SFTP setups allow both file and shell access by default, which may not be suitable for all users or security needs. By enabling SFTP without shell access, you can limit users to file transfer capabilities only, minimizing the risk of unauthorized access or accidental system changes.
Generally, SFTP allows file transfer access and shell access to all users on a system. However, there can arise situations, when you need to restrict shell access to certain users with SFTP. The below guideline can be used for this purpose.
Enabling SFTP without shell access is ideal for situations where you want to grant users the ability to transfer files securely without exposing your system’s command-line interface. This setup is especially useful for environments where security is a top priority, as it minimizes the risk of accidental or unauthorized changes to system configurations. By limiting access to only the SFTP protocol, you maintain control over your server’s security while allowing users to perform essential file operations.
1. Creating user account
First of all, you would need to create a user account which will be granted only file transfer to the server. In this context, we will be using the username lsuser as example. Create the username and set the required password using below commands.
Step 1: Creating a User Account with Restricted Permissions. It’s crucial to create a dedicated user for file transfers, separate from other users, as this allows you to set individual permissions and control what that user can access. Using adduser lsuser
, you’re creating a restricted account with minimal privileges, which helps keep your server secure.To enable SFTP without shell access, you first need to create a dedicated user account with restricted permissions. This user will only have access to the SFTP directory for secure file transfers.
adduser lsuser
passwd lsuser
2. Creating directory for file transfer and setting permissions
We now need to create the directory, which will serve as the SFTP upload directory for lsuser account. We will use /var/sftp/lsdir as the upload directory. For restricting SFTP access to the user directory only, make sure that the base directory /var/sftp/ is owned by root and /var/sftp/lsdir owned by lsuser
mkdir -p /var/sftp/lsdir
chown root:root /var/sftp
chmod 755 /var/sftp
chown lsuser:lsuser /var/sftp/lsdir
3. Configuring SSH service to restrict shell access
SSH service configuration now needs to be modified to restrict shell access for lsuser but allow file transfer access.In this step, we configure the SSH settings to enable SFTP without shell access for the newly created user. This ensures that only file transfer capabilities are allowed, without providing shell access to the server.
- Open SSH configuration file /etc/ssh/sshd_config using a text editor such as vi
vi /etc/ssh/sshd_config
- Scroll to the bottom of the file and add the below code snippet.
Match User lsuser
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
- Save and close the file.
- Restart SSH service using below command to apply the changes.
systemctl restart sshd
Troubleshooting: If you encounter issues with SFTP access, ensure that permissions on the directory are correctly set. For example, if you receive a permission error, double-check that the /var/sftp/lsdir
directory is owned by the user you created. Additionally, if the SFTP service does not start as expected, verify the SSH configuration file for syntax errors and restart the service with systemctl restart sshd
. Common issues often stem from minor configuration errors in the SSH settings.
In summary, enabling SFTP without shell access is an effective way to secure your server by limiting user access to file transfer capabilities only. This setup ensures that essential file operations can be performed without compromising system integring.By following these steps, you’ve successfully learned how to enable SFTP without shell access, enhancing the security of your server by limiting user permissions to file transfers only.