How To Enable SFTP Without Shell Access?

Enable SFTP Without Shell Access?-Blog

Enabling SFTP without shell access provides a secure way to manage file transfers while preventing full command-line access. In this guide, you’ll learn step-by-step how to enable SFTP without shell access to improve security on your server.

SFTP, or SSH File Transfer Protocol, is a secure method of transferring files over a network, using an encrypted SSH connection. Unlike FTP, which transmits data in plain text, SFTP ensures that file transfers are safe and protected. However, traditional SFTP setups allow both file and shell access by default, which may not be suitable for all users or security needs. By enabling SFTP without shell access, you can limit users to file transfer capabilities only, minimizing the risk of unauthorized access or accidental system changes.

Generally, SFTP allows file transfer access and shell access to all users on a system. However, there can arise situations, when you need to restrict shell access to certain users with SFTP. The below guideline can be used for this purpose.

Enabling SFTP without shell access is ideal for situations where you want to grant users the ability to transfer files securely without exposing your system’s command-line interface. This setup is especially useful for environments where security is a top priority, as it minimizes the risk of accidental or unauthorized changes to system configurations. By limiting access to only the SFTP protocol, you maintain control over your server’s security while allowing users to perform essential file operations.

1. Creating user account

First of all, you would need to create a user account which will be granted only file transfer to the server. In this context, we will be using the username lsuser as example. Create the username and set the required password using below commands.

Step 1: Creating a User Account with Restricted Permissions. It’s crucial to create a dedicated user for file transfers, separate from other users, as this allows you to set individual permissions and control what that user can access. Using adduser lsuser, you’re creating a restricted account with minimal privileges, which helps keep your server secure.To enable SFTP without shell access, you first need to create a dedicated user account with restricted permissions. This user will only have access to the SFTP directory for secure file transfers.

adduser lsuser

passwd lsuser

2. Creating directory for file transfer and setting permissions

We now need to create the directory, which will serve as the SFTP upload directory for lsuser account. We will use /var/sftp/lsdir as the upload directory. For restricting SFTP access to the user directory only, make sure that the base directory /var/sftp/ is owned by root and /var/sftp/lsdir owned by lsuser

mkdir -p /var/sftp/lsdir

chown root:root /var/sftp

chmod 755 /var/sftp

chown lsuser:lsuser /var/sftp/lsdir

3. Configuring SSH service to restrict shell access

SSH service configuration now needs to be modified to restrict shell access for lsuser but allow file transfer access.In this step, we configure the SSH settings to enable SFTP without shell access for the newly created user. This ensures that only file transfer capabilities are allowed, without providing shell access to the server.

  • Open SSH configuration file /etc/ssh/sshd_config using a text editor such as vi

vi /etc/ssh/sshd_config

  • Scroll to the bottom of the file and add the below code snippet.

Match User lsuser
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

  • Save and close the file.
  • Restart SSH service using below command to apply the changes.

systemctl restart sshd

GET STARTED WITH OUR HOSTING SUPPORT SERVICES

Troubleshooting: If you encounter issues with SFTP access, ensure that permissions on the directory are correctly set. For example, if you receive a permission error, double-check that the /var/sftp/lsdir directory is owned by the user you created. Additionally, if the SFTP service does not start as expected, verify the SSH configuration file for syntax errors and restart the service with systemctl restart sshd. Common issues often stem from minor configuration errors in the SSH settings.

In summary, enabling SFTP without shell access is an effective way to secure your server by limiting user access to file transfer capabilities only. This setup ensures that essential file operations can be performed without compromising system integring.By following these steps, you’ve successfully learned how to enable SFTP without shell access, enhancing the security of your server by limiting user permissions to file transfers only.

Rohith Krishnan

Rohith SK is an MSC computer science graduate living in Cochin, Kerala. As a technology enthusiast, he is always on the lookout for the latest trends and developments in the field, with a particular interest in cloud computing and DevOps updates. Apart from his passion for technology, Rohith SK is an avid reader and enjoys spending his free time exploring different genres of literature. He believes that reading is one of the best ways to expand one's knowledge and understanding of the world. With his expertise in computer science and a passion for technology, Rohith SK regularly contributes articles and blog posts on the latest trends and updates in the industry. His articles offer insights and valuable perspectives on the various aspects of cloud computing and DevOps, and are widely read and appreciated by readers all over the world. As an experienced technology writer and researcher, Rohith SK's articles are well-researched, informative, and easy to understand, making them accessible to readers of all levels of technical knowledge. Whether you're a beginner looking to learn more about the latest trends in technology, or an experienced professional seeking insights and updates, Rohith's articles are sure to provide valuable information and insights.

Leave a Reply