Creating Sftp Only Account

March 12, 2021

Summary

Let’s say you want to have an account to backup to on another server. Perhaps you want to host one, or, simply give some space to a friend for storing a few things. Ideally, the user would not be able to login and poke around for security purposes. They would be able to sftp only, but no shell access, and, they shouldn’t be able to view outside of their home directory. This is quite possible and easy to do on ubuntu and debian linux.

Create user

In order for this procedure to work, the users home group and all directories above the home group have to be owned by root. Normally, /home is owned by root so it shouldn’t be an issue. Let’s create a new user named “backup”.

sudo adduser backup

Modify Home Directory Owner

We are going to chroot the backup user. This means, the root of the logical filesystem he sees “/” will be some directory on the system. This directory requires root ownership for the chroot command we’ll be using later to work.

sudo chown root:root /home/backup

Setup backup directory

Now we’ll setup a directory for sftp files to be stored in, and limit the directory to just the backup user. This will enable him to see and store files via sftp. We’ll also make sure no other non root user on the system can see his files. The sftp user should send all their files to this directory since they will not have access to create files in their login directory.

sudo -- sh -c 'mkdir /home/backup/files; chown backup:backup /home/backup/files; chmod 770 /home/backup/files'

Make ssh keys for sftp access (optional)

We’ll make him a keyfile he can use to access the machine and avoid using passwords. Using keyfiles is generally considered more secure than passwords. Many admins disable all password access in sshd so that passwords can never be used. This step is optional, you don’t have to use keyfiles.

sudo -iu backup -- sh -c 'mkdir .ssh; chmod 700 .ssh; ssh-keygen; mv .ssh/id_rsa.pub .ssh/authorized_keys'

You should obtain the keyfile and provide to the party wishing to use the new account. It’s stored at /home/backup/.ssh/id_rsa . If that is someone else, then you should consider how to get that to them securely.

Force sftp only access

Now we’ll have to edit a system configuration file in order to force this user to only be able to use sftp, not ssh. Use your favorite editor to edit the file /etc/ssh/sshd_config . Comment out the line at the end with Subsystem sftp in it. Add the lines below so it ends up looking like this:

# Subsystem     sftp    /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Match User backup
  ChrootDirectory %h
  ForceCommand internal-sftp
  X11Forwarding no
  AllowTcpForwarding no

Restart sshd

For the changes to take effect, we need to restart sshd. However, in case we made a syntax error, we don’t want to risk no sshd running. So, we’ll test it first. If the test works, we’ll restart sshd.

sudo sshd -t
sudo systemctl restart sshd

Test the new user

Go ahead and test access. First try getting to the new user via ssh, you should get this message:

This service allows sftp connections only.

Now, retry with sftp and it should work fine. Note your initial directory is /home/backup on the host, however, to the sftp user, it’s simply / . Remember that all files should be sent to /files directory, so, if manually executing sftp, cd /files first.

You now have a user that can only use sftp, and, can’t poke around the host to see what else is there.