Ubuntu

How to Create SFTP User with Specified Directory Permissions in Ubuntu 20.04

Setup SFTP User Specified Directory Permissions in Ubuntu 20.04

SFTP stands for Secure File Transfer Protocol that we used for secure data transfer to and from your local system. It works over SSH Protocol and hence is considered to be more secure than the simple FTP (File Transfer Protocol). Data transferring is a routine based task of every system administrator and other developers who need to make changes in their code.

So, in today’s article, we are going to show the detailed steps to configure SFTP Server and create users with their specified directory permissions.

For the demonstration, we are using the Ubuntu 20.04 LTS for the SFTP setup, but similar steps can be performed in case you are using the RHEL/CentOS Operating system.

Prerequisites:

Starting from the prerequisites, we need to make sure that we have sudo or root user privileges on the server where we need to create SFTP Users.

Let’s start by login into the system using ssh for which you can use the Putty or Shell terminal of your Linux Desktop.

# ssh -i key.pem ubuntu@your_server_ip
# sudo -i

You can also directly login to your system as well, but make sure to use your own username and credentials.

Step 1: Creating New SFTP Only User

Creating a new user for SFTP is as similar as we do for adding any other general users. But in order to restrict that to be used for SFTP purposes only, we will assign it to no login shell.

Run the command below to create an SFTP user by specifying its custom home directory.

# useradd -m -d /home/example.com sftp_user

Set the password of the newly created user using ‘passwd’ command as below.

# passwd sftp_user

Make sure to set a complex password for its security. Then assign it a nologin shell by modifying the ‘passwd’ file as below.

# vim /etc/passwd
sftp_user:x:1001:1001::/home/example.com:/usr/sbin/nologin

Save and close using :wq! To apply changes.

Step 2: Setup Directory Permissions

After creating the new user, we need to set up the right directory permissions and ownership to the user’s directory that we have created in the first step.

# chmod 755 /home/example.com/
# chown root:root /home/example.com

Step 3: Restrict Directory Access

Now we have a new SFTP only user in place, next we need to restrict its directory access to be accessible to its specified home folder that we created.

In order to do so, we are going to modify the ssh configuration file by adding the following parameters.

# vim /etc/ssh/sshd_config
subsystem sftp internal-sftp

Match User sftp_user

ChrootDirectory %h

AllowTCPForwarding no

X11Forwarding no

PasswordAuthentication yes

ForceCommand internal-sftp

Before saving the made changes, make sure to add your username against ‘Match User’ , whereas ‘%h’ represents the home directory of your newly created user within the restricted environment. This ‘ChrootDirectory’ will ensure that your SFTP user won’t have access to any other directory.
Save the ssh configuration file, verify the syntax if there is an issue and then restart its services and confirm if it’s running using the below commands.

# ssh -t
# systemctl restart sshd
# systemctl status sshd

Here, you can see that first there was an error in the ssh configuration file that we fixed by commenting out the additional entry and restart ‘sshd service.

Step 4: Testing SFTP Login

At this point, we are ready to use our SFTp user but before that let’s test it to make sure it has only SFTP access by using the ssh command.

# [email protected]

Whereas xx needs to be replaced with your own server IP. As a result, you should get the connection failure as shown below.

Step 5: Using SFTP Client

There are a couple of SFTP clients available to use for the cross-platform operating system and you can use your favorite one. We are going to test it using FileZilla which is one of the best and most useful FTP/SFTP clients available to use. You can easily download it from their official link.

Let’s open it in your system and give the IP address of your SFTP server along with your created username and password.

Upon successful credentials, you will be able to have access to your specified directory only where you can upload or download the data.

Conclusion:

In this article we have covered the detailed steps to setup and new SFTP server by making the ssh configuration changes, adding new users, and assigning the required directory permissions. You can add as many users as you want or simply create a new group and make new users part of that group.

Similar Posts