Create SFTP Only User on FreeBSD / Unix

by Atulya Bharat
No bhakt of any popular gangs, an irrepressible autodidact, pure blunt+ ideas on human rights, politics, economics, technology, justice, culture, religion - do not fit any known ideologies but अतुल्य भारत. Read public tweets
0 8 min 2 yrs

Nov 25, 2015: SFTP is a secure way to give people access to files on a server as FTP is not a good option because passwords are transferred in plain text, you should use the more secure SSH. SFTP is based on SSH which encrypts all passwords and data. With this option there is no need to install a separate service as SSH is on almost every server.

Give users limited access to your servers and shell login disabled, so they cannot run commands or play around with other files. Login as root to edit the following files and execute commands.

Create a SFTP only group

This is the group where the SFTP only users will be added.
pw groupadd sftp

Configure SSH
nano /etc/ssh/sshd_config

Add these lines at the bottom of the file and change the chroot directory to your needs.

Match Group sftp
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Add a new SFTP user

Add a new user to your system and set the login group to sftp.

adduser
Username: customer
Full name: SFTP user
Uid (Leave empty for default):
Login group [customer]: sftp
Login group is sftp. Invite customer into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash rbash nologin) [sh]:
Home directory [/home/customer]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]:
Username : customer
Password : *****
Full Name : SFTP user
Uid : 1006
Class :
Groups : sftp
Home : /home/customer
Home Mode : root
Shell : /bin/sh
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (customer) to the user database.

The chroot directory needs to be owned by root so that the user/group can log in.

chown root:sftp /home/customer

Create a new directory within the users home directory where files can be uploaded.
Change the ownership of this directory to the new user and the sftp group.

mkdir /home/customer/files
chown customer:sftp /home/customer/files

Restart the SSH server

service sshd restart

Test the new SFTP only user

Finally connect to your server with the SFTP only user, navigate to web files directory, upload some files and test that shell login is disabled for this user. Make sure that your client supports SFTP.

Linux People Software Technology

Leave a Reply