SFTP uses SSH to set up a secure connection between computers for sending files.
With an SFTP server, you can relatively easily upload files to your server. This is useful, for example, for a web server to place website updates on your VPS, or for uploading media to a Plex server.
In this article, we show you how to adjust the configuration of OpenSSH in CentOS 7 so that SFTP users have no further SSH access to your server and limit the SFTP access to a specific folder per user.
Do you prefer to use FTPS? Then take a look at our vsftpd article.
Step 1
Connect to your VPS via SSH or the VPS console in your control panel.
Step 2
All user accounts within Linux belong to one (or more) group(s). For security reasons, and to make it easier to manage SFTP accounts in bulk, create a group to which SFTP users are added:
groupadd sftp
You are free to adjust the group name as desired. Make sure that you then also adjust the group name in the following steps.
Step 3
Then, create a user with the command below, replacing your username with the actual sftp username and /sftp with the name of the root folder to which this user will upload his files (e.g. /sftp/username/files).
useradd -g sftp -d /sftp -s /sbin/nologin username
Step 4
Next, create a folder for the new user to which he / she can upload files.
mkdir -p /sftp/username/files
- Change username to the username that you chose in step 3.
- The addition -p stands for parent and ensures that the underlying sftp and username folders are also created.
- You are free to change the directory to another location, for example:
- If you host a website in /var/www/example.com/public_html, you would use /var/www/example.com/public_html here.
- Suppose you want to add an SFTP folder in a home directory, then, you replace the folder name /sftp with /home/username/sftp for example. Please note that the user must exist in this example.
- If you use a Plex server, for example with a Big Storage, then, you would use /mnt/bigstorage/plex-media/pictures (and / or videos / series) for example.
Step 5
Adjust the rights and ownership of the folders with the commands below.
This ensures that the sftp user ultimately only has rights to perform operations in the /sftp/username/files folder, and not in the underlying folders.
chmod 500 /s
ftp
Step 6
Finally, a small adjustment is needed to the configuration of your SSH server. First, open the configuration, for example:
nano /etc/ssh/sshd_config
Step 7
Scroll all the way down and add the lines below.
AllowGroups sftp sshd
Match Group sftp
ChrootDirectory /sftp/%u
ForceCommand internal-sftp
Users of the sftp group are automatically placed in the /sftp/u% folder, where u% (automatically) is the name of the user who logs in.
Save the changes and close nano with ctrl + x > y > enter.
Step 8
Reload your SSH configuration afterwards with:
systemctl reload sshd
You can now connect to your server via SFTP! Make sure you select SFTP as the protocol in your SFTP software instead of FTP / FTPS. You also use your SSH port instead of your FTP port. If you are not sure which port this is, you can find it on your server with the command:
cat /etc/ssh/sshd_config | grep Port
Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.