Enabling the SFTP Without Shell Access on CentOS
SFTP means SSH File Transfer Protocol. It is one of the secure methods of transferring files to a server by using an encrypted SSH connection. It is also totally different protocol compared to File Transfer Protocol (FTP). Moreover, it is widely encouraged by the modern FTP clients. SFTP is accessible default without any additional configuration on the servers which have SSH access enabled. SFTP is simple and secure to use.
Sometime, you may need only a few users to be permitted file transfers and no SSH access. In this article, you will be able to set up the SSH domain registration to limit SFTP access to an only 1 directory without allowing SSH access on per user basis.
1) Creating the New User
In the beginning, you need to create a new user and it will be permitted only file transferring access to the server. For eg: the username is abcd, but you can use any username you like.
sudo adduser abcd
Now you need to assign a password to the new user:
sudo passwd abcd
You need to enter the strong password and verify it
2) Creating the directory for transferring the file
To restrict SFTP access to 1 directory, you must ensure the directory complies with the SSH server's permissions needs, that is very particular. Mostly, the directory itself and all the directories on top of it within the filesystem tree will be owned by root and it is not writable by anyone else. Moreover, it is not easy to provide restricted access to a user's home directory as the home directories are owned by the user and not by the root.
There are numerous of methods to work within the ownership issue. In this article we will create /var/sftp/uploads and use it as the target upload directory. /var/sftp will be owned by the root and it cannot be written by the users. The subdirectory /var/sftp/uploads are owned by abcdfiles and the uses will also be able to upload the files in it.
You need to create the directories.
sudo mkdir -p /var/sftp/uploads
And set the owner of /var/sftp to root.
sudo chown root:root /var/sftp
And also give the root write permissions to the similar directory, and give different users to read and execute rights only.
sudo chmod 755 /var/sftp
Now change the ownership on the uploads directory to abcd.
sudo chown abcdfiles:abcdfiles /var/sftp/uploads
Now the directory structure is in the place, You will be able to configure the SSH server by itself.
3) Limiting the access to 1 Directory
Now you need to modify the SSH server configuration to reject the terminal access for abcd and allow file transfer access.
Open SSH server configuration file with vi or text editor of your choice
sudo vi /etc/ssh/sshd_config
Go to the bottom of the file and include the following configuration extract:
. . .
Match User abcdfiles
Later save and close the file.
Restart the service to make the changes in the configuration
sudo systemctl restart sshd
Now you have configured the SSH server to restrict the access to file transfer for abcdfiles. And the final last step is testing of the configuration to ensure whether it works as intended.
4) Verification of the Configuration
You need to ensure that the new abcdfiles user will only be able to transfer files.
Log in to the server as abcdfiles making use of normal shell access should no longer be possible.
You will be able to see the following message before being returning to the exact prompt:
This service allows sftp connections only.
Connection to localhost closed.
It means that abcdfiles will no longer access the server shell with the help of SSH.
Now you need to verify if the user will be able to successfully access SFTP for transferring the files
Instead of the error message, this command will display you with a successful login message with an interactive prompt.
Connected to localhost.
You will be able to list the directory contents by using the prompt
It will display the uploads directory which was created in the previously and return you to the sftp> prompt.
SFTP file list output
To verify whether the user is indeed restricted to the directory and will not be able to access any directory above it, you need to try changing the directory to the one above it.
sftp> cd ..
This command is not going to give any error, however, listing of directory contents as before can show any changes, proving the user will not able to switch to the parent directory.
Now verify whether the restricted configuration works as expected. The new abcdfiles user will access the server by using the SFTP protocol for file transfer and will not have the ability to access the entire shell.