Ubuntu SFTP-Only Account How-to

This guide will show you how to setup Linux user accounts restricted to using SFTP only. These accounts will be unable to run arbitrary shell commands on the server or access/create files outside their own home directories. The steps in this guide were tested on Ubuntu Server 10.04 with version 5.3p1 of the OpenSSH daemon, obtained from the Ubuntu software repositories.

Although this guide is aimed at Ubuntu users, it should also be applicable to other flavors of Linux as well. The most important factor to consider is the version of OpenSSH you have installed on your system. Version 5.0 or above is recommended as these versions support the OpenSSH ChrootDirectory configuration option that we’ll be using here.

Right, that’s enough of the rambling, let’s get to it…


Step 1- Create a Group for the Restricted Accounts

For the sake of this example, we’ll create a new group called ‘sftponly‘ It’s best to use the addgroup command to do this, as it takes care of allocating an un-used GID (Group Identifier) to the new group for us:

sudo addgroup sftponly

Step 2- Create the User Account

For examples sake, we’ll create a user account with the username ‘bob‘ , set his home directory as ‘/home/bob‘ and give him the password ‘pass

We’ll use the useradd command here as it takes care of assigning an unallocated UID to the user account for us.

Creating the User Account:

sudo useradd -d /home/bob -s /usr/lib/sftp-server -M -N -g sftponly bob

Setting the Password:

  sudo passwd bob 

Step 3- Setup the users home directory

Right, lets create a home for bob and give him somewhere to put his files. Enter the commands below one by one on separate lines:

sudo mkdir -p /home/bob/uploads /home/bob/.ssh
sudo chown bob:sftponly /home/bob/uploads /home/bob/.ssh
sudo chmod 700 /home/bob/.ssh

The first line creates the ‘/home/bob‘, /home/bob/uploads‘ and ‘/home/bob/.ssh‘ directories.

The second line sets the owner and group of the /home/bob directory to root. This is an important step as the SSH server will complain (and refuse to let our restricted user login) if the root of the users home directory is NOT owned by root.

The third line sets the owner and group on ‘/home/bob/uploads‘ and ‘ /home/bob/.ssh‘ so these directories can be used by the restricted user. In this example, the ‘uploads‘ subdirectory will be used to store files while the ‘.ssh‘ subdirectory is used to store the users public key.

You should be able to login to you account with a username and password when you’ve completed all the steps in this guide, but it’s recommended you use the public key method for authentication as it is considerably more secure.

If you already have a private and public key you would like to use, then all you need to do is to upload a copy of the public key to a subdirectory named .ssh in the users home directory.

Assuming that our public key file is named ‘bob.pub‘, we would issue the following commands to setup public key authentication for the bob user account.

cd /home/bob/.ssh
cat bob.pub >> authorized_keys
chmod 700 authorized_keys
chown bob:sftponly authorized_keys
rm -r bob.pub

Step 4- Add an entry to /etc/shells

Open the file /etc/shells as root in your favorite text-editor, and add the following line at the bottom:


Step 5- Amend the SSH Server Configuration file

Open the SSH server configuration file as root to start making changes. On a Ubuntu system, this file is usually /etc/ssh/sshd_config This may differ with other distributions, so check beforehand.

Find the line Subsystem sftp /usr/lib/openssh/sftp-server and change it to read:

Subsystem sftp internal-sftp

Now add the following lines at the bottom of the file:

Match group sftponly
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

The line Match group sftponly tells the SSH server to apply the configuration options below it to all members of the ‘sftponly‘ system group.

The line (ChrootDirectory %h tells the SSH server to confine a user to their home directory only (The home directory is specified here using ‘%h‘)

The ‘X11Forwarding no‘ and ‘AllowTcpForwarding no‘ lines prevent the user from, respectively, accessing graphical applications on the server and from connecting to other systems via ours.

The ‘ForceCommand internal-sftp ‘ line prevents the user from executing their own commands and forces them to use the SFTP server component of the SSH server by executing the ‘internal-sftp‘ command when the user logs in.

More information on the various SSH server configuration options available and what they do can be found here.

Step 6- Restart the SSH Server

Ubuntu/Debian users can issue the following command to restart the SSH server:

  sudo /etc/init.d/ssh restart 

That’s it. You should be able to login using the ‘sftp‘ command with either the username and password you setup or using your private key (if you set this up in Step 2.) Using the setup outlined here, you would only have to repeat steps 1-3 to setup new accounts.

Hope this is useful to someone.