In this tutorial, we will explain how to provide Sftp-only access to users, locking them in their home directories. Only those users will be able to transfer files on your VPS. Everything else on the system will be hidden and inaccessible for them.
Create a new group for your SFTP-only users.
# groupadd sftpgroup
Create a new user and change its password:
# useradd sftpuser && passwd sftpuser
Of course, replace ‘sftpuser’ with your own strong password.
Assign the newly created user to the ‘sftpgroup’ group and set ‘/sbin/nologin’ as shell
# usermod -g sftpgroup -s /sbin/nologin sftpuser
With ‘/sbin/nologin’ as shell, this user will not have ssh access to your system. Also, the above command can be used to add an existing user to the group, only it’s username should be changed. The user’s home Directory should be owned and accessible only by ‘root’
# chown root:root /home/sftpuser
Create a new directory inside the user’s home directory which will be owned by the user.
# cd /home/sftpuser && mkdir sftpdirectory && chown sftpuser:sftpuser sftpdirectory
Using your favorite text editor open the ‘/etc/ssh/sshd_config’ file, find the line starting with ‘Subsystem’ and change it with this line:
Subsystem sftp internal-sftp
At the bottom of the same file (sshd_config) add the following lines:
Match Group sftpgroup ChrootDirectory /home/%u ForceCommand internal-sftp AllowTCPForwarding no
This way, all users added to the ‘sftpgroup’ group will have only SFTP access to their home directories. (This method can be used for any other directory on your machine)
Restart ‘sshd’ service
# service sshd restart
After everything is done, you can test the configuration using an SFTP client or via the command line using the command below:
# sftp sftpuser@hostname
In this example, we used ‘sftpuser’ as username and ‘sftpgroup’ as group name. You can change them and use any name you want.
PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.