Home / server / Questions / 268977
Accepted
Toni Rosa
Asked: 2011-05-13 03:51:19 +0800 CST

How can I create a user only for sftp?

  • 772

I have added a user to the system via the adduser tool. Then, in /etc/passwd, I tried changing the /bin/bash to /sbin/nologin or to /dev/null, but neither of these worked.

I would like the user not having the option to get an interactive shell, and just to use sftp. Is there a way?

I know it's been asked here before but it seems no-one gave a satisfactory response.

linux upload ssh sftp

4 Answers

  1. Best Answer

    The command you should use to change the shell is chsh. The nologin shell can be /sbin/nologin or /usr/sbin/nologin (check which you have by looking in /etc/shells) but /bin/false would probably be a better choice.

    chsh -s /bin/false user

    You should consider setting up something like scponly which will do exactly what you want.

    • 11

  2. You should also be able to do it with OpenSSH 4.9 and up, with which you can additionally chroot the user for increased security.

    In your /etc/ssh/sshd_config:

    Match User user
ChrootDirectory /home/user
ForceCommand internal-sftp
AllowTcpForwarding no

    Then run:

    chsh -s /bin/false user
chown root:root /home/user
mkdir /home/user/uploads
chown user /home/user/uploads

    The user will only be able to write in /home/user/uploads.

    https://debian-administration.org/article/590/OpenSSH_SFTP_chroot_with_ChrootDirectory

    • 11

  3. I think the best way is with mysecureshell

    http://mysecureshell.sourceforge.net/en/index.html

    You can chroot a user with this easily and even limit bandwidth if needed.

    • 2

  4. You can add a user with -s /bin/false to disable their shell, but what you really should look into setting up is a chrooted sftp acccount. This will "jail" a user into their own directory and prevent them from being able to access or modify any files or directories outside of the chroot directory.

    • 1