In this tutorial, I will explain how to configure SSH to allow SFTP and disallow SSH login access.
Well, SFTP uses SSH and by default the users will able to use both SSH and SFTP. But if you ever want users to use only SFTP and disallow SSH access, then OpenSSH supports that. From OpenSSH version 4.9, you can edit sshd_config file as shown below:
How to allow SFTP and disallow SSH
Step 1: Edit SSH configuration file
# vim /etc/sshd_config
Step 2: Lookout for FTP subsystem.
In case, if the Subsystem is already set as shown below:
Subsystem sftp /usr/lib/openssh/sftp-server
Then you need to change it to:
Subsystem sftp internal-sftp
Both sftp-server and internal-sftp are the subsystems of SSH, but internal-sftp is most preferred. The reason is, internal-sftp is an in-process sftp server that has performance advantage over stp-server and also does not require additional support files when used with ChrootDirectory option.
Step 3: Add the below lines
Match group ftp ChrootDirectory /home/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
Lookout for ‘Match group ftp‘ line which tells that any user who wants to use SFTP should belong to group called ‘ftp‘ (create your own group, if needed). Also using internal-sftp subsystem is important, because we’ll be using ChrootDirectory option.
Note: Ensure that the above lines are added after ‘UsePAM yes‘ in the sshd_config file.
Step 4: Add users to FTP group.
# vim /etc/group
Lookout for FTP group and add users as shown below for example user ‘sysadmin‘.
You may have to change the user’s home directory to
/ because of the use of Chroot and root should be the owner of /home/user.
Step 5: Test if the configurations are proper before restarting the SSH service. This step is very important.
# sshd -t
If there’s an error, it will be displayed on the screen. Otherwise no output will be displayed.
Step 6: Restart SSHD service
# /etc/init.d/ssh restart
# /etc/init.d/sshd restart
# service ssh restart
# service sshd restart
Step 7: Test
Now any user belonging to ‘ftp‘ group will be allowed to use SFTP but cannot login using SSH.
Note: The above commands were executed and tested on Ubuntu 14.04.4 LTS.