Cart

    Sorry, we could not find any results for your search querry.

    SFTP tutorial CentOS 7

    SFTP uses SSH to set up a secure connection between computers for sending files.

    With an SFTP server, you can relatively easily upload files to your server. This is useful, for example, for a web server to place website updates on your VPS, or for uploading media to a Plex server.

    In this article, we show you how to adjust the configuration of OpenSSH in CentOS 7 so that SFTP users have no further SSH access to your server and limit the SFTP access to a specific folder per user.

    Do you prefer to use FTPS? Then take a look at our vsftpd article.

    • Use sudo or follow the steps in this article as a root user.
    • CentOS 7 comes with OpenSSH installed by default and you do not have to install it separately.

     

    Step 1

    Connect to your VPS via SSH or the VPS console in your control panel.


     

    Step 2

    All user accounts within Linux belong to one (or more) group(s). For security reasons, and to make it easier to manage SFTP accounts in bulk, create a group to which SFTP users are added:

    groupadd sftp

    You are free to adjust the group name as desired. Make sure that you then also adjust the group name in the following steps.


     

    Step 3

    Then, create a user with the command below, replacing your username with the actual sftp username and /sftp with the name of the root folder to which this user will upload his files (e.g. /sftp/username/files).

    useradd -g sftp -d /sftp -s /sbin/nologin username

    Explanation

    • useradd: adds a new user
      • -g sftp: adds the new user to the sftp group
      • -d /sftp: sets /sftp as the home directory of this user
      • -s /sbin/nologin: the user gets shell access /sbin/nologin, in other words: no login rights via ssh
      • username: the username of the new user
    •  passwd username: set a password for the new user

     

    Step 4

    Next, create a folder for the new user to which he / she can upload files.

    mkdir -p /sftp/username/files
    • Change username to the username that you chose in step 3.
    • The addition -p stands for parent and ensures that the underlying sftp and username folders are also created.
    • You are free to change the directory to another location, for example:
      • If you host a website in /var/www/example.com/public_html, you would use /var/www/example.com/public_html here.
      • Suppose you want to add an SFTP folder in a home directory, then, you replace the folder name /sftp with /home/username/sftp for example. Please note that the user must exist in this example.
      • If you use a Plex server, for example with a Big Storage, then, you would use /mnt/bigstorage/plex-media/pictures (and / or videos / series) for example.

     

    Step 5

    Adjust the rights and ownership of the folders with the commands below.

    This ensures that the sftp user ultimately only has rights to perform operations in the /sftp/username/files folder, and not in the underlying folders.

    chmod 500 /s
    ftp

    Explanation

    • chmod 500 /sftp: Only give the owner of /sftp read and execute rights to the /sftp folder.
    • chmod 700 /sftp: Only give the owner of /sftp/username/files read, write and execute rights in the /sftp/username/files folder
    • chown root: sftp / sftp / username: Makes the user root and the sftp group the owner of the /sftp/username folder
    • chown username:sftp/sftp/username/files: Makes the user username and the ftpusers group (the group to which username belongs) owner of /sftp/username/files

     

    Step 6

     

    Finally, a small adjustment is needed to the configuration of your SSH server. First, open the configuration, for example:

    nano /etc/ssh/sshd_config

     

    Step 7

    Scroll all the way down and add the lines below.

    AllowGroups sftp sshd
    Match Group sftp
    ChrootDirectory /sftp/%u
    ForceCommand internal-sftp

    Users of the sftp group are automatically placed in the /sftp/u% folder, where u% (automatically) is the name of the user who logs in.

    Save the changes and close nano with ctrl + x > y > enter.


     

    Step 8

    Reload your SSH configuration afterwards with:

    systemctl reload sshd

     

     

    You can now connect to your server via SFTP! Make sure you select SFTP as the protocol in your SFTP software instead of FTP / FTPS. You also use your SSH port instead of your FTP port. If you are not sure which port this is, you can find it on your server with the command:

    cat /etc/ssh/sshd_config | grep Port

    Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.

    Need help?

    Receive personal support from our supporters

    Contact us