How to Create SFTP Only User in Debian 11

How to Create SFTP Only User in Debian 11

SFTP (SSH File Transfer Protocol) is a secure file protocol used to access, manage, and transfer files over an encrypted SSH transport session. Security first is a thumb rule for the system administrators. In some cases, we need to allow remote users to access the filesystem on our system, but you don’t want to allow them to get a shell. This will allow you a secure channel to provide limited access to specific files and directories.

This tutorial will help you to setup SFTP only access (without shell access) on Debian 11 system. It will create a chroot environment on your system to limit the SFTP user to a specific directory only. Also, it will allow SFTP only access without SSH access to the user.

Prerequisites

  • A running Debian 11 Bullseye Linux system
  • You must have sudo privileged account with shell access

Step 1 – Create a New User

First of all, create a new user to connect with the sftp server. The following command will create a new account named sftpuser with no shell access. You can use any name of your choice or requirement.

sudo adduser --shell /bin/false sftpuser 

Step 2 – Create a Directory for SFTP Access

You have created a user for sftp. Now, create a directory to configure as chroot for the sftp. For this example, I will create a /var/sftp directory. The directory must have root ownership to configure as chroot directory. So we will create a subdirectory under /var/sftp with write access to sftp account.

Create the directory structure with the following command:

sudo mkdir -p /var/sftp/files 

Next, we have to set proper permission on directories to configure as chroot access with write access to the user. Here /var/sftp must have the root ownership and group with proper permission. To set that permission, type:

sudo chown root:root /var/sftp 
sudo chmod 755 /var/sftp 

Now, change the permission for the "files" directory to allow write access to sftpuser. To set that permissions, type:

sudo chown sftpuser:sftpuser /var/sftp/files 

Once the sftpuser connects to the server, will get /var/sftp as the root directory. He can’t access the filesystem outside it. Also, the user can read/write files under the “files” directory only.

Step 3 – Configure sshd for SFTP Only

Next, you need to configure the SSH server to allow the “sftpuser” to connect the server with sFTP only without shell access. To make necessary changes, edit the SSH configuration file.

sudo nano /etc/ssh/sshd_config 

and add the following settings at end of file.

Match User sftpuser
	ForceCommand internal-sftp
	PasswordAuthentication yes
	ChrootDirectory /var/sftp
	PermitTunnel no
	AllowAgentForwarding no
	AllowTcpForwarding no
	X11Forwarding no
Chroot Settings for SFTP User
Chroot Configuration for SFTP User

Double-check that all the settings are correct. Then save the changes and restart the SSH service to apply changes.

sudo systemctl restart ssh 

All done, SFTP only use is successfully created on your Debian system. Now try logging into the remote system with the new user’s credentials, and check if everything is working correctly.

Step 4 – Connect to SFTP

One can connect to a remote SFTP server using a command line or graphical applications like Filezilla or WinSCP. In this tutorial, I will show you both ways to connect SFTP server.

Linux users can use sftp command-line utility to connect to remote sftp instances.

sftp sftpuser@sftp.tecadmin.net 

sftpuser@sftp.tecadmin.net's password:
sftp>

GUI interface or Windows users can use graphical sftp clients. For example, use Filezilla client to connect remote sftp only account on the remote system.

connect sftp only user on Debian

Verify no shell access:

As this account is configured for SFTP only connection. So if any user tried to connect via SSH will be disconnected immediately after successful authentication. User will get below message:

ssh sftpuser@sftp.tecadmin.net 

sftpuser@sftp.tecadmin.net's password:
This service allows sftp connections only.
Connection to sftp.tecadmin.net closed.

Conclusion

In this how-to guide, you have learned to create chroot jail environment for SFTP users without shell access to the server. The Chroot environment secures the filesystem by preventing users to access files outside of the defined directory. This tutorial is created and tested with Debian 11 Bullseye system but this will work on other Debian versions.

The post How to Create SFTP Only User in Debian 11 appeared first on TecAdmin.

chroot Linux Tutorials sftp SSH TecAdmin