How To Configure and Secure SFTP Without Providing Shell Access on CentOS 7

In this article we will learn about how to configure SFTP without enabling the shell access on CentOS 7, SSH File Transfer Protocol (SFTP) which is a secure way to transferring files from servers to a server using the SSH encrypted connections, which is a different protocol from File Transfer Protocol (FTP) that is supported by all the FTP clients.

SFTP can be configured by using default configurations on all the servers which had the SSH access enabled on the machine. SFTP is a secure and easiest way to use, which has a disadvantage in the standard configuration, which allows terminal shell access to all the SFTP users on the server.

In some organizations, we want to allow only File Transfer and no access to the SSH.


  • CentOS 7.x installed on the machine.
  • A user with sudo permission on the machine.

Creating User for SFTP

We need to create a new user where we needed to grant only FTP access on the server using the created user and set up a password for the user.

$ sudo adduser ftpuser

$ sudo passwd ftpuser
Changing password for user ftpuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Creating Folder for FTP Access

We need to create one folder in the machine which has SSH servers permission requirements that are very important, especially the folder itself and all the sub-folders in the machine and all the above folders are owned by the root and no one should have access to the folders.

We can create the folders in /var/sftp/files /var/sftp is owned by the root user and /var/sftp/files is owned by the ftpuser.

Now, we will create the folders which are required and set the permission which is required for the SFTP set up.

Creating folder for SFTP users, providing appropriate user permission on the folder and changing the folder permissions.

$ sudo mkdir -p /var/sftp/files
$ sudo chown root:root /var/sftp
$ sudo chmod 755 /var/sftp

Now we will give the permission for the /var/sftp/files folder to the newly created user ‘ftpuser’.

$ sudo chown ftpuser:ftpuser /var/sftp/files

Restrict the Access to the Folder

Here we will change the configuration file in the SSH server to restrict the SSH terminal access for the newly created user ftpuser but allow the FTP file transfer.

Let edit the SSH configuration using nano and all the below configuration at the end of the file.

$ sudo nano /etc/ssh/sshd_config

# Example of overriding settings on a per-user basis#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no#       ForceCommand cvs server
Match User ftpuser
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

To make sure of the configuration that is needed to restart the sshd daemon, use the below command –

$ sudo systemctl restart sshd

Directives used in the above configuration are –

  • Match User − The configuration is applied to the user specified here in this directive, we specified ftpuser.

  • ForceCommand − Which restrict the user to log in as SSH user in the terminal and Allows SFTP once the user logged in.

  • PasswordAuthentication − This will allows password authentication to the user specified.

  • ChrootDirectory /var/sftp/ − Will not all the user beyond the /var/sftp directory.

  • AllowAgentForwarding no − Will not allow Tunneling to the user we specified.

  • AllowTcpForwarding no − Will not allow Port Forwarding to the user we specified.

  • X11Forwarding no − Will not allow X11 Forwarding to the user we specified.

Verify the Configuration

To verify the configuration we will check the SSH login from the local machine.

$ ssh ftpuser@localhost
ftpuser@localhost's password:
Could not chdir to home directory /home/ftpuser: No such file or directory
This service allows sftp connections only.
Connection to localhost closed.

As you can see that connection to the ftpuser is not allowed to login using the SSH.

Now we will verify the same for SFTP access.

$ sftp ftpuser@localhost
ftpuser@localhost's password:
Connected to localhost.

As you can see that we have allowed doing the SFTP login and now you can see the folder list using the ls command.

ftp> ls
sftp> ls -l
drwxr-xr-x    2 1000       1000       6 Jun 19 13:31 files

In this article, we have learned to restrict a user to login only for SFTP to a single folder and also to restrict to log into the terminal where SSH has a more complex configuration and schemes where w can restrict for single user or group or limited access to an IP address.

Sharon Christine
Sharon Christine

An investment in knowledge pays the best interest