Howto create a sftp-only user on (RedHat) Linux


Create a sftp-only user to have rw-access a specific folder only on a system with disabled ssh shell, port forwarding and X11-forwarding. This is achieved by setting the sftp shell in /etc/passwd


openssh version 4.8p1 or newer (this supports chrootdirectory) –> refer this page you can check your version with:sshd -v If you have an older version, here's how you install openssh from source:

yum install gcc openssl-devel pam-devel rpm-build wget -- or similar from []( tar zxvf openssh-5.6p1.tar.gz cp openssh-5.6p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/ cp openssh-5.6p1.tar.gz /usr/src/redhat/SOURCES/ cd /usr/src/redhat/SPECS perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)s+0$/$1 1/' openssh.spec rpmbuild -bb openssh.spec cd /usr/src/redhat/RPMS/`uname -i` rpm -Uvh openssh*rpm
## commands
``` useradd passwd usermod -s /usr/libexec/openssh/sftp-server echo '/usr/libexec/openssh/sftp-server' >> /etc/shells groupadd sftp-only usermod -g sftp-only vim /etc/ssh/sshd_config -------------- #add sftp subsystem Subsystem sftp internal-sftp Match group sftp-only # chroot members into this directory # %u gets substituted with the user name: ChrootDirectory /home/%u X11Forwarding no AllowTcpForwarding no # Force the internal SFTP engine upon them: ForceCommand internal-sftp ------------- ```
## result

sftp login should be fine and look like this:

<strong>[root@test-box ~]#</strong> sftp sftp-test@localhost sftp-test@localhost's password: ****** 
Connected to localhost. 
<strong>sftp></strong> put /tmp/touched.txt 
Uploading /tmp/touched.txt to /home/sftp-test/touched.txt /tmp/touched.txt         
100% 0 0.0KB/s 00:00 
<strong>sftp></strong> mkdir test1 
<strong>sftp></strong> ls test1 touched.txt <strong>
sftp></strong> quit <strong>
[root@test-box ~]#</strong> ls -lh /home/sftp-test/ 
total 20K 
drwxr-xr-x 2 sftp-test sftp-only 4.0K Oct 20 06:20 test1 
-rw-r--r-- 1 sftp-test sftp-only 0 Oct 20 06:19 touched.txt ```

While ssh login attempt should fail like this (output depends on the openssh version) :

[root@test-box ~]# ssh sftp-test@localhost sftp-test@localhost's password: ******
This service allows sftp connections only. Connection to localhost closed.
[root@test-box ~]#