SFTP is a protocol allowing for secure file transfers over SSH. This guide describe how to setup SFTP only accounts on a SSH server.
This howto is tested on:
- Debian 10.0 Buster
Settings
Set the name of the system group of users restricted to SFTP only:
sftpOnlyGroup='sftp-only'
Requirements
This howto requires:
- a working OpenSSH server.
Configuration
Detect if sudo is available (“command” is used if not):
cmdProxy='command'
command type -f 'sudo' &>'/dev/null' && cmdProxy='sudo'
Create the “${sftpOnlyGroup}” group:
command grep --quiet --regexp="^${sftpOnlyGroup}:" '/etc/group' \
|| ${cmdProxy} addgroup --system "${sftpOnlyGroup}"
Set the sftp subsystem as internal:
if ! grep --quiet --regexp='^Subsystem[\t ]*sftp[\t ]*internal-sftp' '/etc/ssh/sshd_config'; then
# Remove existing sftp subsystem settings.
${cmdProxy} sed -i -e 's/^Subsystem[\t ]*sftp[\t ]/# &/' '/etc/ssh/sshd_config'
${cmdProxy} tee -a '/etc/ssh/sshd_config' <<< '
# Set internal-sftp as sftp subsystem.
# Allow for simpler use of ChrootDirectory directive.
Subsystem sftp internal-sftp'
fi
Setup the restriction to a chrooted SFTP server for users in the “${sftpOnlyGroup}” group:
command grep --quiet --regexp="^Match group ${sftpOnlyGroup}" '/etc/ssh/sshd_config' \
|| ${cmdProxy} tee -a '/etc/ssh/sshd_config' <<< "
# Restrict to SFTP only for users in group '${sftpOnlyGroup}'
Match group ${sftpOnlyGroup}
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
PermitTTY no"
If a group based access restriction is set, add ‘${sftpOnlyGroup}’ to allowed groups:
command grep --quiet --regexp='^AllowGroups[\t ]' '/etc/ssh/sshd_config' \
&& command grep --quiet --regexp="^AllowGroups[\t ].*${sftpOnlyGroup}.*" '/etc/ssh/sshd_config' \
|| ${cmdProxy} sed -i \
-e "s/^AllowGroups[\t ]*[^\t ]*/&,${sftpOnlyGroup}/" \
'/etc/ssh/sshd_config'
Reload the SSH server configuration:
${cmdProxy} systemctl 'reload' 'ssh'
Usage
Add users that should only have access to the SFTP server to the “${sftpOnlyGroup}” group:
# sudo adduser 'username' "${sftpOnlyGroup}"
Warning ! Users in the “${sftpOnlyGroup}” group wont be able to login using SSH.
Next steps
For further security, SFTP only users can be logged-in in a chroot environment. See ‘ChrootDirectory’ directive in sshd_config man page.
Thanks
- Thanks to François Feugeas for his reply to Allow SCP but not actual login using SSH (en).
- Thanks to Martin Prikryl for his reply to OpenSSH: Difference between internal-sftp and sftp-server (en).
0 Comments