How To Enable SFTP Without Shell Access?
SFTP or SSH File Transfer Protocol is a secure way of transferring files to a server through an encrypted SSH connection. By default, SFTP is available on all servers that have SSH access enabled. SFTP is completely different from FTP (File Transfer Protocol) and is also supported by FTP clients.
Generally, SFTP allows file transfer access and shell access to all users on a system. However, there can arise situations, when you need to restrict shell access to certain users with SFTP. The below guideline can be used for this purpose.
1. Creating user account
First of all, you would need to create a user account which will be granted only file transfer to the server. In this context, we will be using the username lsuser as example. Create the username and set the required password using below commands.
adduser lsuser
passwd lsuser
2. Creating directory for file transfer and setting permissions
We now need to create the directory, which will serve as the SFTP upload directory for lsuser account. We will use /var/sftp/lsdir as the upload directory. For restricting SFTP access to the user directory only, make sure that the base directory /var/sftp/ is owned by root and /var/sftp/lsdir owned by lsuser
mkdir -p /var/sftp/lsdir
chown root:root /var/sftp
chmod 755 /var/sftp
chown lsuser:lsuser /var/sftp/lsdir
3. Configuring SSH service to restrict shell access
SSH service configuration now needs to be modified to restrict shell access for lsuser but allow file transfer access.
- Open SSH configuration file /etc/ssh/sshd_config using a text editor such as vi
vi /etc/ssh/sshd_config
- Scroll to the bottom of the file and add the below code snippet.
Match User lsuser
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
- Save and close the file.
- Restart SSH service using below command to apply the changes.
systemctl restart sshd