SFTP provides a secure way for providing FTP access to clients. It comes built-in with the openssh-server package. Creating SFTP accounts is straightforward like normal user accounts. However if you want to limit the users to access their designated folder only, then a chroot setup is needed. This improves security in a way that sftp users cannot login to a normal bash shell and they cannot view system folders when they are logged-in. This tutorial will walk you though SFTP server setup.
Step:1 Create a group for the sftp users
[root@localhost ~]# groupadd sftp_users
Step:2 Assign the secondary group(sftp_users) to the user.
If the users doesn’t exist on system, use below command :
[root@localhost ~]# useradd -G sftp_users -s /sbin/nologin john
[root@localhost ~]# passwd john
For already existing users , use below usermod command :
[root@localhost ~]# usermod –G sftp_users -s /sbin/nologin john
Note : if you want to change the default home directory of users , then use ‘-d’ option in useradd and usermod command and set the correct permissions.
Step:3 Now edit the config file “/etc/ssh/sshd_config”
Comment out the below line
#Subsystem sftp /usr/libexec/openssh/sftp-server
And add the line below
Subsystem sftp internal-sftp
Add Below lines at the end of file
Match Group sftp_users
- Match Group sftp_users – This indicates that the following lines will be matched only for users who belong to group sftp_users
- ChrootDirectory %h – This is the path(default user’s home directory) that will be used for chroot after the user is authenticated. So, for John, this will be /home/john.
- ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.
Apply your changes
Restart the ssh service
service sshd restart
Step:4 Set the Permissions :
[root@localhost ~]# chmod 755 /home/john
[root@localhost ~]# chown john /home/john
[root@localhost ~]# chgrp -R sftp_users /home/john
If You want that john user should be allowed to upload files, then create a upload folder with the below permissions:
[root@localhost john]# mkdir /home/john/upload
[root@localhost john]# chown john /home/john upload/