SFTP is a protocol allowing for secure file transfers over SSH. This guide describe how to setup SFTP only accounts on a SSH server.

This howto is tested on:

  • Debian 10.0 Buster


Set the name of the system group of users restricted to SFTP only:



This howto requires:

  • a working OpenSSH server.


Detect if sudo is available (“command” is used if not):

command type -f 'sudo' &>'/dev/null' && cmdProxy='sudo'

Create the “${sftpOnlyGroup}” group:

command grep --quiet --regexp="^${sftpOnlyGroup}:" '/etc/group' \
  || ${cmdProxy} addgroup --system "${sftpOnlyGroup}"

Set the sftp subsystem as internal:

if ! grep --quiet --regexp='^Subsystem[\t ]*sftp[\t ]*internal-sftp' '/etc/ssh/sshd_config'; then
  # Remove existing sftp subsystem settings.
  ${cmdProxy} sed -i -e 's/^Subsystem[\t ]*sftp[\t ]/# &/' '/etc/ssh/sshd_config'
  ${cmdProxy} tee -a '/etc/ssh/sshd_config' <<< '
# Set internal-sftp as sftp subsystem.
# Allow for simpler use of ChrootDirectory directive.
Subsystem sftp internal-sftp'

Setup the restriction to a chrooted SFTP server for users in the “${sftpOnlyGroup}” group:

command grep --quiet --regexp="^Match group ${sftpOnlyGroup}" '/etc/ssh/sshd_config' \
    || ${cmdProxy} tee -a '/etc/ssh/sshd_config' <<< "
# Restrict to SFTP only for users in group '${sftpOnlyGroup}'
Match group ${sftpOnlyGroup}
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no
    PermitTTY no"

If a group based access restriction is set, add ‘${sftpOnlyGroup}’ to allowed groups:

command grep --quiet --regexp='^AllowGroups[\t ]' '/etc/ssh/sshd_config' \
  && command grep --quiet --regexp="^AllowGroups[\t ].*${sftpOnlyGroup}.*" '/etc/ssh/sshd_config' \
  || ${cmdProxy} sed -i \
      -e "s/^AllowGroups[\t ]*[^\t ]*/&,${sftpOnlyGroup}/" \

Reload the SSH server configuration:

${cmdProxy} systemctl 'reload' 'ssh'


Add users that should only have access to the SFTP server to the “${sftpOnlyGroup}” group:

# sudo adduser 'username' "${sftpOnlyGroup}"

Warning ! Users in the “${sftpOnlyGroup}” group wont be able to login using SSH.

Next steps

For further security, SFTP only users can be logged-in in a chroot environment. See ‘ChrootDirectory’ directive in sshd_config man page.


Categories: Security


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.