In this article we will learn about how to configure SFTP without enabling the shell access on CentOS 7, SSH File Transfer Protocol (SFTP) which is a secure way to transferring files from servers to a server using the SSH encrypted connections, which is a different protocol from File Transfer Protocol (FTP) that is supported by all the FTP clients.
SFTP can be configured by using default configurations on all the servers which had the SSH access enabled on the machine. SFTP is a secure and easiest way to use, which has a disadvantage in the standard configuration, which allows terminal shell access to all the SFTP users on the server.
In some organizations, we want to allow only File Transfer and no access to the SSH.
We need to create a new user where we needed to grant only FTP access on the server using the created user and set up a password for the user.
$ sudo adduser ftpuser $ sudo passwd ftpuser Output: Changing password for user ftpuser. New password: Retype new password: passwd: all authentication tokens updated successfully.
We need to create one folder in the machine which has SSH servers permission requirements that are very important, especially the folder itself and all the sub-folders in the machine and all the above folders are owned by the root and no one should have access to the folders.
We can create the folders in /var/sftp/files /var/sftp is owned by the root user and /var/sftp/files is owned by the ftpuser.
Now, we will create the folders which are required and set the permission which is required for the SFTP set up.
Creating folder for SFTP users, providing appropriate user permission on the folder and changing the folder permissions.
$ sudo mkdir -p /var/sftp/files $ sudo chown root:root /var/sftp $ sudo chmod 755 /var/sftp
Now we will give the permission for the /var/sftp/files folder to the newly created user ‘ftpuser’.
$ sudo chown ftpuser:ftpuser /var/sftp/files
Here we will change the configuration file in the SSH server to restrict the SSH terminal access for the newly created user ftpuser but allow the FTP file transfer.
Let edit the SSH configuration using nano and all the below configuration at the end of the file.
$ sudo nano /etc/ssh/sshd_config Output: …. …. # Example of overriding settings on a per-user basis#Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no# ForceCommand cvs server Match User ftpuser ForceCommand internal-sftp PasswordAuthentication yes ChrootDirectory /var/sftp PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
To make sure of the configuration that is needed to restart the sshd daemon, use the below command –
$ sudo systemctl restart sshd
Match User − The configuration is applied to the user specified here in this directive, we specified ftpuser.
ForceCommand − Which restrict the user to log in as SSH user in the terminal and Allows SFTP once the user logged in.
PasswordAuthentication − This will allows password authentication to the user specified.
ChrootDirectory /var/sftp/ − Will not all the user beyond the /var/sftp directory.
AllowAgentForwarding no − Will not allow Tunneling to the user we specified.
AllowTcpForwarding no − Will not allow Port Forwarding to the user we specified.
X11Forwarding no − Will not allow X11 Forwarding to the user we specified.
To verify the configuration we will check the SSH login from the local machine.
$ ssh ftpuser@localhost Output: ftpuser@localhost's password: Could not chdir to home directory /home/ftpuser: No such file or directory This service allows sftp connections only. Connection to localhost closed.
As you can see that connection to the ftpuser is not allowed to login using the SSH.
Now we will verify the same for SFTP access.
$ sftp ftpuser@localhost Output: ftpuser@localhost's password: Connected to localhost. sftp>
As you can see that we have allowed doing the SFTP login and now you can see the folder list using the ls command.
ftp> ls files sftp> ls -l drwxr-xr-x 2 1000 1000 6 Jun 19 13:31 files sftp>
In this article, we have learned to restrict a user to login only for SFTP to a single folder and also to restrict to log into the terminal where SSH has a more complex configuration and schemes where w can restrict for single user or group or limited access to an IP address.