Big Bytes

Create SFTP Only User on FreeBSD 10

SFTP is a secure way to give people access to files on a server as FTP is not a good option because passwords are transferred in plain text, you should use the more secure SSH. SFTP is based on SSH which encrypts all passwords and data. With this option there is no need to install a separate service as SSH is on almost every server.

Give users limited access to your servers and shell login disabled, so they cannot run commands or play around with other files. Login as root to edit the following files and execute commands.

Create a SFTP only group

This is the group where the SFTP only users will be added.
pw groupadd sftp

Configure SSH
nano /etc/ssh/sshd_config

Add these lines at the bottom of the file and change the chroot directory to your needs.

Match Group sftp
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Add a new SFTP user

Add a new user to your system and set the login group to sftp.

adduser
Username: customer
Full name: SFTP user
Uid (Leave empty for default):
Login group [customer]: sftp
Login group is sftp. Invite customer into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash rbash nologin) [sh]:
Home directory [/home/customer]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]:
Username : customer
Password : *****
Full Name : SFTP user
Uid : 1006
Class :
Groups : sftp
Home : /home/customer
Home Mode : root
Shell : /bin/sh
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (customer) to the user database.

The chroot directory needs to be owned by root so that the user/group can log in.

chown root:sftp /home/customer

Create a new directory within the users home directory where files can be uploaded.
Change the ownership of this directory to the new user and the sftp group.

mkdir /home/customer/files
chown customer:sftp /home/customer/files

Restart the SSH server

service sshd restart

Test the new SFTP only user

Finally connect to your server with the SFTP only user, navigate to web files directory, upload some files and test that shell login is disabled for this user. Make sure that your client supports SFTP.

Sudhir Panda

No bhakt of any popular gangs, an irrepressible autodidact, pure blunt+ ideas on politics, economics, technology, culture, etc, do not fit any known ideologies. Tweets at https://wisepoint.org/@imsudhir

Leave a Reply

You may also like:

Corruption Entertainment Law / Legal Lifestyle People Software Technology Telecom

Beware of Mobile Malware / Spyware behind those fancy apps / gadgets!

Corporate governments, security experts and officials remain in support of mass, warrant-less surveillance. But civil libertarians, humane technology companies and others oppose it, noting obvious lack of transparency and espionage to save crooks / cronies. As a cheap smartphone user, you don’t have to worry for Malware / Spyware / Virus, just buy antidotes. You […]

Read More
Corruption Law / Legal Lifestyle Software Startup Technology Telecom

FAANG & Co force-feeding ads & sermons based on big data theft via mobile apps

Chanakya’s political parties were abusing social media marketing for bumper votes and sponsored branding, now the same so-called tech innovation balloons are haunting and fighting back for long-term continuity and its ROI capitalism. Ironic all-round abuse of 99% social slaves

Read More
Health Lifestyle Media / PR People Technology

Coronavirus threat – safety first!

We believe this is a moment to use all of our creative people power to fight for a just, people-centered transition away from the systems behind these crises we face. This is not the moment to protest in the streets, nor the time to gather in-person in large groups for actions and mobilizations.

Read More