Setup SFTP and Prevent SSH on Ubuntu 20.04. SFTP (Secure File transfer Protocol), a secure way to transfer files to servers using encrypted SSH connections. All servers with SSH will have SFTP enabled by default.
In this guide you are going to learn how to limit SFTP access to a directory for a particular user and prevent SSH access.
This setup is tested on a virtual machine running Ubuntu 20.04 OS. So this tutorial should work on any severs with Ubuntu.
Prerequisites
SSH access to server with sudo privileges.
Step 1: Create New user
Create a new user who has SFTP access to perform certain actions on a particular directory.
sudo adduser username
You will be prompted to setup a password and other optional details which you can setup or ignore it.
If you wish to use SSH keys based login, check how to setup SSH access on your Ubuntu.
Step 2: Setup SFTP access
To setup SFTP access you need to configure correct directory permissions the parent directory of the new directory you are about to create should be owned by root and not by any other users.
For example, if you are going to create a directory named /sftp/folder
, the sftp
directory should be owned by root and the folder
directory should be owned by the particular user who is accessing it.
Create directories.
sudo mkdir -p /sftp/folder
Configure correct permissions.
sudo chmod 755 /sftp
sudo chown root:root /sftp
sudo chmod -R 755 /sftp/folder
sudo chown username:username /sftp/folder
Step 3: Prevent SSH access and Restrict SFTP Access
Now we can modify SSH configuration to prevent SSH access for the user and restrict the user to access only the particular directory.
Edit your SSH configuration file.
sudo nano /etc/ssh/sshd_config
Add the following to the end of the file.
Match User username
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Match User
tells the SSH server to apply the following commands only to the specified user.ForceCommand internal-sftp
forces the SSH server to run the SFTP server upon login and prevent SSH access.PasswordAuthentication yes
allows password authentication for this user. If you use SSH keys based login you can prevent password based authentication by setting the value tono
.ChrootDirectory /sftp
ensures that the user will not be allowed access to anything beyond the/sftp
directory.AllowAgentForwarding no
,AllowTcpForwarding no
, andX11Forwarding no
disables port forwarding, tunneling, and X11 forwarding, respectively.
Hit CTRL + X
followed by Y
and then ENTER
to save and exit the file.
Now the configurations are in place which allows only SFTP access and prevents SSH login for the user.
Restart SSH service for the changes to take effect.
sudo systemctl restart sshd
For more details on configuring access for multiple usernames, you can follow this Chroot setup guide.
Step 4: Verify SFTP setup
Try loging in to the server using your SFTP details with SSH command. You will be denied access to SSH.
ssh [email protected]_ip
You will receive an output similar to the one below.
Output
This service allows sftp connections only.
Connection to server_ip closed.
Now verify using sftp command.
sftp [email protected]_ip
Now you should be logged in to the server and have access to the directory you have configured earlier.
Output
Connected to server_ip
sftp>
Use the ls
command to list the directories you will see the directory named folder
you have created and configured permissions.
sftp> ls
Output
folder
Conclusion
Now you have learned how to setup SFTP and prevent SSH access to user over a specific directory.
Thanks for your time. If you face any problem or any feedback, please leave a comment below.