MyLinuxTips

SFTP (SSH File Transfer Protocol, also known as Secure FTP) is a popular method for securely transferring files over remote systems. It was designed as an extension of the Secure Shell protocol (SSH) version 2.0 to enhance secure file transfer capabilities. It supports file access, file transfer, and file management functionalities without command or data channels. 

Follow the below steps to create a SFTP-only user:

1. Create a dedicated SFTP group and a dedicated sFTP user.

groupadd sftpusers
useradd -g sftpusers -d /home/test1 -s /sbin/nologin test1
passwd test1 

Here, the group sftpusers is a dedicated SFTP group and the user test1  is a dedicated SFTP user which is forbidden to log in using SSH.

2. Modify the configuration of the sshd service

Open the configuration file of the sshd service:

vim /etc/ssh/sshd_config

Find the line:

Subsystem sftp /usr/libexec/openssh/sftp-server

Replace it with:

Subsystem sftp internal-sftp

Append the following lines to the end of the file. The group name sftpusers should be the same as the one you specified earlier.

Match Group sftpusers
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Also Uncomment the line

PasswordAuthentication yes 

Save and quit:

:wq

To put your changes into effect , restart the sshd service.

systemctl restart sshd

3. Create a dedicated directory for the sFTP-only user and grant required permissions

mkdir /home/test1
chmod -R 755 /home/test1
chown test1. /home/test1

Now, the user test1 can only upload and/or download files in the directory /home/test1, he/she can never touch other users files.