sftponlyuser

Setup user for SFTP access only

Scenario

give upload/download access to a single directory
no login
no escape from the directory
access the directory using your regular, privileged user

Step by step

Choose an upload/download/“home” directory
all components of the path must be owned by root and not writable by anyone else!
For this example, let's assume /mnt/web/sftpuser
adduser -r -s /usr/sbin/nologin --home /mnt/web/sftpuser --no-create-home sftpuser

/etc/passwd should look like this:

sftpuser:x:1002:1002::/mnt/web/sftpuser:/usr/sbin/nologin

Set the password
passwd sftpuser

append a section like this to /etc/ssh/sshd_config:

Match User sftpuser
        ChrootDirectory /mnt/web/sftpuser
        ForceCommand internal-sftp -u 0002
        X11Forwarding no
        AllowTcpForwarding no

(optionally) Add your own user to the newly created user's group: usermod -aG sftpuser user

sftponlyuser.txt · Last modified: 2021/06/07 12:00 by wolfo