Setup SFTP-Only User Accounts On Ubuntu 14
Introduction
Certain scenarios require you to create users with read and write access to a single directory via FTP only. This write-up will show you how to create such users. They will not be able to navigate outside their home directory, login to the server via SSH, or execute shell commands.
Setup SFTP Group and Service
Create sftpusers group.
sudo groupadd sftpusers
Comment out setting disabling SFTP access from sshd config file.
sudo sed -i "s/Subsystem sftp //usr//lib//openssh//sftp-server/#Subsystem sftp //usr//lib//openssh//sftp-server/" /etc/ssh/sshd_config
Open sshd config file
sudo nano /etc/ssh/sshd_config
, add below snippet it, and exit (Ctrl+X -> Y -> Hit Enter).#enable sftpSubsystem sftp internal-sftpMatch Group sftpusers ChrootDirectory %h #set the home directory ForceCommand internal-sftp X11Forwarding no AllowTCPForwarding no PasswordAuthentication yes
Restart ssh.
sudo service ssh restart
Creating Users
Repeat the process below for every SFTP only user you want to add to the server.
# create usersudo adduser sftpuser1# prevent ssh login & assign SFTP groupsudo usermod -g sftpusers sftpuser1sudo usermod -s /bin/nologin sftpuser1# chroot user (so they only see their directory after login)sudo chown root:sftpuser1 /home/sftpuser1sudo chmod 755 /home/sftpuser1sudo mkdir /home/sftpuser1/uploadssudo chown sftpuser1:sftpuser1 /home/sftpuser1/uploadssudo chmod 755 /home/sftpuser1/uploads
You can make creating users faster by wrapping above into a function and adding it to your bashprofile by (1) running sudo nano ~/.bash_profile
; (2) adding the snippet below to it; (3) running source ~/.bash_profile
.
After that, creating a new SFTP user becomes as easy as running the command create_sftp_user
along with a username as its parameter.
# usage: create_sftp_user <username>function create_sftp_user() { # create user sudo adduser $1 # prevent ssh login & assign SFTP group sudo usermod -g sftpusers $1 sudo usermod -s /bin/nologin $1 # chroot user (so they only see their directory after login) sudo chown root:$1 /home/$1 sudo chmod 755 /home/$1 sudo mkdir /home/$1/uploads sudo chown $1:$1 /home/$1/uploads sudo chmod 755 /home/$1/uploads}
Test to make sure the user you created can connect to the server via SFTP (Note: Connect using SFTP and not FTP).
Written by Lami Adabonyan
Want to contribute?
You could earn up to $300 by adding new articles
Suggest an update
Request an article
Leave a Comment