How to Allow SFTP and disallow SSH?

Updated on September 2, 2017

In this tutorial, I will explain how to configure SSH to allow SFTP and disallow SSH login access.


Well, SFTP uses SSH and by default the users will able to use both SSH and SFTP. But if you ever want users to use only SFTP and disallow SSH access, then OpenSSH supports that. From OpenSSH version 4.9, you can edit sshd_config file as shown below:

allow sftp disallow ssh

How to allow SFTP and disallow SSH

Step 1: Edit SSH configuration file

# vim /etc/sshd_config

Step 2: Lookout for FTP subsystem.

In case, if the Subsystem is already set as shown below:

Subsystem sftp /usr/lib/openssh/sftp-server

Then you need to change it to:

Subsystem sftp internal-sftp

Both sftp-server and internal-sftp are the subsystems of SSH, but internal-sftp is most preferred. The reason is, internal-sftp is an in-process sftp server that has performance advantage over stp-server and also does not require additional support files when used with ChrootDirectory option.

Step 3: Add the below lines

Match group ftp
     ChrootDirectory /home/%u
     X11Forwarding no
     AllowTcpForwarding no
     ForceCommand internal-sftp

Lookout for ‘Match group ftp‘ line which tells that any user who wants to use SFTP should belong to group called ‘ftp‘ (create your own group, if needed). Also using internal-sftp subsystem is important, because we’ll be using ChrootDirectory option.

Note: Ensure that the above lines are added after ‘UsePAM yes‘ in the sshd_config file.

Step 4: Add users to FTP group.

# vim /etc/group

Lookout for FTP group and add users as shown below for example user ‘sysadmin‘.


You may have to change the user’s home directory to / because of the use of Chroot and root should be the owner of /home/user.

Step 5: Test if the configurations are proper before restarting the SSH service. This step is very important.

# sshd -t

If there’s an error, it will be displayed on the screen. Otherwise no output will be displayed.

Step 6: Restart SSHD service

# /etc/init.d/ssh restart


# /etc/init.d/sshd restart


# service ssh restart


# service sshd restart

Step 7: Test

Now any user belonging to ‘ftp‘ group will be allowed to use SFTP but cannot login using SSH.

Note: The above commands were executed and tested on Ubuntu 14.04.4 LTS.

Was this article helpful?

Related Articles

Comments Leave a Comment

Leave a Comment