Enabling the SFTP Without Shell Access on CentOS

 

SFTP means SSH File Transfer Protocol. It is one of the secure methods of transferring files to a server by using an encrypted SSH connection. It is also totally different protocol compared to File Transfer Protocol (FTP). Moreover, it is widely encouraged by the modern FTP clients. SFTP is accessible default without any additional configuration on the servers which have SSH access enabled. SFTP is simple and secure to use.

 

Sometime, you may need only a few users to be permitted file transfers and no SSH access. In this article, you will be able to set up the SSH domain registration to limit SFTP access to an only 1 directory without allowing SSH access on per user basis.

 

1) Creating the New User

 

In the beginning, you need to create a new user and it will be permitted only file transferring access to the server. For eg: the username is abcd, but you can use any username you like.

 

sudo adduser abcd

 

Now you need to assign a password to the new user:

 

sudo passwd abcd

 

You need to enter the strong password and verify it

 

2) Creating the directory for transferring the file

 

To restrict SFTP access to 1 directory, you must ensure the directory complies with the SSH server's permissions needs, that is very particular. Mostly, the directory itself and all the directories on top of it within the filesystem tree will be owned by root and it is not writable by anyone else. Moreover, it is not easy to provide restricted access to a user's home directory as the home directories are owned by the user and not by the root.

 

There are numerous of methods to work within the ownership issue. In this article we will create  /var/sftp/uploads and use it as the target upload directory. /var/sftp will be owned by the root and it cannot be written by the users. The subdirectory /var/sftp/uploads are owned by abcdfiles and the uses will also be able to upload the files in it.

 

You need to create the directories.

 

sudo mkdir -p /var/sftp/uploads

 

And set the owner of /var/sftp to root.

 

sudo chown root:root /var/sftp

 

And also give the root write permissions to the similar directory, and give different users to read and execute rights only.

 

sudo chmod 755 /var/sftp

 

Now change the ownership on the uploads directory to abcd.

 

sudo chown abcdfiles:abcdfiles /var/sftp/uploads

 

Now the directory structure is in the place, You will be able to configure the SSH server by itself.

 

3) Limiting the access to 1 Directory

 

Now you need to modify the SSH server configuration to reject the terminal access for abcd and allow file transfer access.

 

Open SSH server configuration file with vi or text editor of your choice

 

sudo vi /etc/ssh/sshd_config

 

Go to the bottom of the file and include the following configuration extract:

 

/etc/ssh/sshd_config

. . .

 

Match User abcdfiles

ForceCommand internal-sftp

PasswordAuthentication yes

ChrootDirectory /var/sftp

PermitTunnel no

AllowAgentForwarding no

AllowTcpForwarding no

X11Forwarding no

 

Later save and close the file.

 

Restart the service to make the changes in the configuration

 

sudo systemctl restart sshd

 

Now you have configured the SSH server to restrict the access to file transfer for abcdfiles. And the final last step is testing of the configuration to ensure whether it works as intended.

 

4) Verification of the Configuration

 

You need to ensure that the new abcdfiles user will only be able to transfer files.

 

Log in to the server as abcdfiles making use of normal shell access should no longer be possible.

 

ssh abcdfiles@localhost

 

You will be able to see the following message before being returning to the exact prompt:

 

Error message

 

This service allows sftp connections only.

Connection to localhost closed.

 

It means that abcdfiles will no longer access the server shell with the help of SSH.

 

Now you need to verify if the user will be able to successfully access SFTP for transferring the files

 

sftp abcdfiles@localhost

 

Instead of the error message, this command will display you with a successful login message with an interactive prompt.

 

SFTP prompt

Connected to localhost.

sftp>

 

You will be able to list the directory contents by using the prompt

 

sftp> ls

 

It will display the uploads directory which was created in the previously and return you to the sftp> prompt.

 

SFTP file list output

Uploads

 

To verify whether the user is indeed restricted to the directory and will not be able to access any directory above it, you need to try changing the directory to the one above it.

 

sftp> cd ..

 

This command is not going to give any error, however, listing of directory contents as before can show any changes, proving the user will not able to switch to the parent directory.

 

Now verify whether the restricted configuration works as expected. The new abcdfiles user will access the server by using the SFTP protocol for file transfer and will not have the ability to access the entire shell.

 
Compare your desired web hosting plans from HostingRaja, India's #1 web hosting company and choose the right plan for your business. And when you buy any web hosting solution from us we will be providing the best hosting features like free domain name, SEO friendly website, website builder, free SSL certificate etc. We also provide 99.9% server uptime with 24/7 customer support via phone, chat, email and ticket system