Enabling the SFTP Without Shell Access on CentOS


SFTP means SSH File Transfer Protocol. It is one of the secure methods of transferring files to a server by using an encrypted SSH connection. It is also totally different protocol compared to File Transfer Protocol (FTP). Moreover, it is widely encouraged by the modern FTP clients. SFTP is accessible default without any additional configuration on the servers which have SSH access enabled. SFTP is simple and secure to use.


Sometime, you may need only a few users to be permitted file transfers and no SSH access. In this article, you will be able to set up the SSH domain registration to limit SFTP access to an only 1 directory without allowing SSH access on per user basis.


1) Creating the New User


In the beginning, you need to create a new user and it will be permitted only file transferring access to the server. For eg: the username is abcd, but you can use any username you like.


sudo adduser abcd


Now you need to assign a password to the new user:


sudo passwd abcd


You need to enter the strong password and verify it


2) Creating the directory for transferring the file


To restrict SFTP access to 1 directory, you must ensure the directory complies with the SSH server's permissions needs, that is very particular. Mostly, the directory itself and all the directories on top of it within the filesystem tree will be owned by root and it is not writable by anyone else. Moreover, it is not easy to provide restricted access to a user's home directory as the home directories are owned by the user and not by the root.


There are numerous of methods to work within the ownership issue. In this article we will create  /var/sftp/uploads and use it as the target upload directory. /var/sftp will be owned by the root and it cannot be written by the users. The subdirectory /var/sftp/uploads are owned by abcdfiles and the uses will also be able to upload the files in it.


You need to create the directories.


sudo mkdir -p /var/sftp/uploads


And set the owner of /var/sftp to root.


sudo chown root:root /var/sftp


And also give the root write permissions to the similar directory, and give different users to read and execute rights only.


sudo chmod 755 /var/sftp


Now change the ownership on the uploads directory to abcd.


sudo chown abcdfiles:abcdfiles /var/sftp/uploads


Now the directory structure is in the place, You will be able to configure the SSH server by itself.


3) Limiting the access to 1 Directory


Now you need to modify the SSH server configuration to reject the terminal access for abcd and allow file transfer access.


Open SSH server configuration file with vi or text editor of your choice


sudo vi /etc/ssh/sshd_config


Go to the bottom of the file and include the following configuration extract:



. . .


Match User abcdfiles

ForceCommand internal-sftp

PasswordAuthentication yes

ChrootDirectory /var/sftp

PermitTunnel no

AllowAgentForwarding no

AllowTcpForwarding no

X11Forwarding no


Later save and close the file.


Restart the service to make the changes in the configuration


sudo systemctl restart sshd


Now you have configured the SSH server to restrict the access to file transfer for abcdfiles. And the final last step is testing of the configuration to ensure whether it works as intended.


4) Verification of the Configuration


You need to ensure that the new abcdfiles user will only be able to transfer files.


Log in to the server as abcdfiles making use of normal shell access should no longer be possible.


ssh abcdfiles@localhost


You will be able to see the following message before being returning to the exact prompt:


Error message


This service allows sftp connections only.

Connection to localhost closed.


It means that abcdfiles will no longer access the server shell with the help of SSH.


Now you need to verify if the user will be able to successfully access SFTP for transferring the files


sftp abcdfiles@localhost


Instead of the error message, this command will display you with a successful login message with an interactive prompt.


SFTP prompt

Connected to localhost.



You will be able to list the directory contents by using the prompt


sftp> ls


It will display the uploads directory which was created in the previously and return you to the sftp> prompt.


SFTP file list output



To verify whether the user is indeed restricted to the directory and will not be able to access any directory above it, you need to try changing the directory to the one above it.


sftp> cd ..


This command is not going to give any error, however, listing of directory contents as before can show any changes, proving the user will not able to switch to the parent directory.


Now verify whether the restricted configuration works as expected. The new abcdfiles user will access the server by using the SFTP protocol for file transfer and will not have the ability to access the entire shell.

Compare your desired web hosting plans from HostingRaja, India's #1 web hosting company and choose the right plan for your business. And when you buy any web hosting solution from us we will be providing the best hosting features like free domain name, SEO friendly website, website builder, free SSL certificate etc. We also provide 99.9% server uptime with 24/7 customer support via phone, chat, email and ticket system