How to Create a SFTP User without Shell Access on CentOS 8

SFTP stands for “SSH File Transfer Protocol.” SFTP is a file transfer protocol used to transfer files between two servers. By default, SFTP allows you to transfer files on all servers that have SSH access enabled. However, it will grant terminal access to all users and this is not recommended for security reasons.

In this tutorial, we will learn how to create an SFTP user without shell access so that the user has only SFTP access and not SSH access.

Step 1 – Create an SFTP User

First, you will need to create a new user with only file transfer access. You can create a new user named sftp using the following command:

adduser sftp

Next, set the password for the above user:

passwd sftp

Provide your desired password and hit enter.

Step 2 – Create a Directory Structure for File Transfers

Next, you will need to create a directory structure for file transfer to restrict SFTP access to one directory.

You can create a new directory with the following command:

mkdir -p /opt/sftp/public

Next, set the ownership of the /opt/sftp/ directory to root:

chown root:root /opt/sftp

Next, give proper permissions with the following command:

chmod 755 /opt/sftp

Next, set the ownership of the public directory to the sftp user:

chown sftp:sftp /opt/sftp/public

Step 3 – Configure SSH for SFTP

Next, you will need to configure SSH to restrict access to one directory and disallow terminal access to the sftp user.

You can do it by editing the file /etc/ssh/sshd_config:

nano /etc/ssh/sshd_config

Add the following lines at the end of the file:

Match User sftp
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /opt/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

Save and close the file when you are finished. Then, restart the SSH service to implement the changes:

systemctl restart sshd

Step 4 – Verify SFTP

Now, verify the SFTP access with the following command:

sftp sftp@your-server-ip

You will be asked to provide a password as shown below:

sftp@your-server-ip's password:

Provide your sftp user password and hit Enter. Once connected, you should see the following output:

Connected to your-server-ip.
sftp>

Next, run the following command to list the directory:

sftp> ls

You should see the public directory in the following output:

public 
sftp>

Next, verify whether you are able to make SSH connection or not:

ssh sftp@your-server-ip

You will be asked to provide a password as shown below:

sftp@your-server-ip's password:

Provide your sftp user password and hit Enter. You should see the following output:

This service allows sftp connections only.
Connection to your-server-ip closed.

The above output indicates that sftp user can no longer access the server shell via SSH.

Conclusion

Congratulations! You have successfully configured SFTP without shell access on CentOS 8. You can also use this setup for multiple users and directory. Get started with SFTP today on a VPS from Atlantic.Net!