When running a hosting service, you often need to provide secure file transfer capabilities without granting full shell access. Here's the technical reality:
- SFTP (SSH File Transfer Protocol) runs as a subsystem of SSH
- By default, SFTP access implies potential SSH access
- Proper configuration can enforce SFTP-only access
The solution involves modifying the SSH daemon configuration. Here's the step-by-step approach:
# Edit the SSH configuration file
sudo nano /etc/ssh/sshd_config
# Add or modify these lines:
Match Group sftpusers
ChrootDirectory /home/%u
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
PermitTunnel no
Create dedicated user accounts with restricted access:
# Create a group for SFTP-only users
sudo groupadd sftpusers
# Create a user (replace 'client1' with actual username)
sudo useradd -G sftpusers -s /bin/false client1
sudo passwd client1
# Set proper permissions for the chroot
sudo mkdir -p /home/client1/uploads
sudo chown root:root /home/client1
sudo chmod 755 /home/client1
sudo chown client1:client1 /home/client1/uploads
After implementing these changes, test the configuration:
- Restart SSH service:
sudo systemctl restart sshd - Attempt SSH login:
ssh client1@yourserver(should fail) - Test SFTP connection:
sftp client1@yourserver(should succeed)
For enhanced security and functionality:
# Rate limiting connections
MaxStartups 10:30:60
MaxAuthTries 3
# Logging configuration
SyslogFacility AUTH
LogLevel VERBOSE
# Additional restrictions for SFTP group
Match Group sftpusers
PasswordAuthentication yes
PermitRootLogin no
AllowAgentForwarding no
If you encounter problems, check these areas:
- Verify directory permissions (chroot requires root ownership)
- Check SELinux/AppArmor policies if enabled
- Examine auth logs:
tail -f /var/log/auth.log - Ensure proper group membership for users
As a developer running small-scale hosting services, I've faced the challenge of needing secure file transfer capabilities without granting full shell access. Here's the technical approach I implemented successfully:
SFTP (SSH File Transfer Protocol) operates as a subsystem within SSH. The key is to leverage OpenSSH's configuration options to restrict users to SFTP-only access while preventing interactive shell sessions.
First, create a dedicated user group for SFTP-only access:
sudo groupadd sftpusers
sudo useradd -G sftpusers client1
sudo passwd client1
Then modify your /etc/ssh/sshd_config file:
Match Group sftpusers
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
PermitTTY no
The chroot environment requires careful permission setup:
sudo mkdir -p /home/client1/uploads
sudo chown root:root /home/client1
sudo chmod 755 /home/client1
sudo chown client1:sftpusers /home/client1/uploads
For enhanced security, consider these additional settings:
Match Group sftpusers
PasswordAuthentication yes
PubkeyAuthentication yes
AuthenticationMethods "publickey,password"
AllowAgentForwarding no
PermitRootLogin no
If clients can't connect, check:
- Directory ownership (must be root:root for chroot)
- SELinux contexts if enabled
- SSH daemon logs at
/var/log/auth.log
For more granular control, the restricted shell (rssh) package offers additional options:
sudo apt install rssh
sudo usermod -s /usr/bin/rssh client1
Then configure /etc/rssh.conf to allow only SFTP:
allowscp
allowsftp
# Comment out or set to 'no' other protocols
#allowrsync
#allowrdist
#allowcvs
Always:
- Use SSH key authentication where possible
- Regularly audit user directories
- Implement rate limiting (e.g., fail2ban)
- Keep OpenSSH updated