Linux – Allow SFTP but disallow SSH

centosftplinuxsftp

I'm starting a very little hosting company for a few friends and little clients, nothing big.

I want to give my "clients" the right to manage their files on the server. I hate FTP as it is not secure and it's in my opinion obsolete.

So I'd like to allow my users to connect through SFTP but not allow them to connect through SSH. (I know, I know, SFTP is using SSH). But I was just wondering, is it possible?

So I wouldn't have to install a FTP service on the server and everything would be awesome!

Best Answer

Starting with version 4.9 OpenSSH (not available in centos 5.x but ChrootDirectory feature was backported) has an internal-sftp subsystem:

Subsystem sftp internal-sftp

And then block other uses:

Match group sftponly
     ChrootDirectory /upload/%u
     X11Forwarding no
     AllowTcpForwarding no
     AllowAgentForwarding no
     ForceCommand internal-sftp

Add your users to the sftponly group. The chroot directory must be owned by root, and cannot be group-writeable, so create a subdirectory for each user, e.g. uploads or home/$username that's owned by the appropriate user (if you match their home directory, it will be the default working directory when connecting). I'd also set /bin/false as the user's shell.

As an example, users can then upload single files with:

sftp username@hostname <<< 'put filename.ext uploads/'

(scp will hopefully soon be modified to use sftp so this will become easier)

Best Answer

Related Solutions

Ssh – It is fair to jail the SFTP users to their home directory

Verifying SFTP, not FTP

Related Topic