Penguin Crumbs

Notes and tips from a Linux user

home about this blog

Create a sftp-only account

In this post I described how to create a personal file hosting service for backup purposes - that case refers to an asynchronous scenario: files are transferred when you run the script indeed. Now let's see how to create a special no-login account that has only the ability to use sftp (of course, you can mount that home directory later, using sshfs in order to obtain a remote read-write storage).

The following commands prepare a sftp-only account; they seem a bit strange because they change the ownership of the home directory to root, but don’t worry and go ahead, of course “they perfectly work on my PC” :-)

 adduser USERNAME
 chown root:root /home/USERNAME/
 chmod 755 /home/USERNAME/
 cd /home/USERNAME/

Now, edit /etc/ssh/sshd_config, commenting “Subsystem sftp /usr/lib/openssh/sftp-server”

  #Subsystem sftp /usr/lib/openssh/sftp-server
  Subsystem sftp internal-sftp

  Match User USERNAME
    AllowTcpForwarding no  
    X11Forwarding no
    ChrootDirectory %h
    ForceCommand internal-sftp

Then restart ssh service to finish the job:

service ssh restart

Important note: in this way the user will not be able to browse the filesystem and this a very valuable security feature, because he/she will not understand anything about the hosting OS; the user will not have write grants in the home directory (root owns it), anyway you can create a subdirectory for these purposes:

 mkdir uploads
 chown USERNAME:USERNAME uploads

if everything works properly, as the user will no longer be able to log in anymore, you can remove the files like .profile, .bash*, .cache, and so on.

Posted on 2019-06-21  
⇦  back
Copyright © 2019 Marcello Zaniboni