How To Enable & Configure SFTP in CentOS 7
Steps you must follow to know how to enable and configure SFTP in CentOS 7
SFTP (SSH File Transfer Protocol) is different from the FTP type although it supports all the FTP clients that we find today. Although SFTP has been implemented to add a security layer, it presents an access level vulnerability since, being a standard, it grants total access to system users for file transfer and use of the Shell.
Today I will teach how to configure CentOS 7 to prevent a particular user from having SSH access with the freedom to manipulate the system through the SFTP protocol.
Step 1: User Creation
First of all, we will create the user that will have access restricted by SSH, in this case, we will call it access, we execute the following:
sudo adduser access
Next, we assign a password to the new user by running the following:
sudo passwd access
Step 2: Create Directory for File Transfer
Once our user is created, the next step is to create the directory where SFTP will act, preventing access and this must be configured with specific parameters.
We will create a directory called /var/sftp/uploads in which the /var/sftp is part of the root user, and no other user will have the current permissions, and in the subdirectory /var/sftp/uploads the owner will be the new user access. We create the directory using the following line:
sudo mkdir -p /var/sftp/uploads
Next, we establish the root user as owner in the indicated directory:
sudo chown root:root /var/sftp
We grant write permissions to the root user and read to the other users in the suggested route:
sudo chmod 755 /var/sftp
Now modify the owner of uploads to be the user access, we execute the following:
sudo chown access:access /var/sftp/uploads
Step 3: Restrict Directory Access
In this step we will see how to restrict the access by the terminal to the user access but if the transfer of files will be possible. For this we must edit the SSH server with the preferred editor, vim or nano, in the following path:
sudo nano /etc/ssh/sshd_config
We will see the following:
In the final part of the file we add the following: Match User access ForceCommand internal-sftp PasswordAuthentication yes ChrootDirectory /var/sftp PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
Save the changes using the key combination Ctrl + O and exit the editor using the Ctrl + X keys.
Execute the following command to apply the changes in SSH:
sudo systemctl restart sshd
Step 4: Verify SSH Connection
With this configured it will be time to validate the access through SSH and verify that only the transfer of files will be possible. For this we go to the connection through SSH which in this case will be.
ssh [email protected]
Once we enter the access credentials we will see the following message:
With this, we have verified that the connection will be closed through SSH. Now we will try the connection using the sftp protocol:
sftp [email protected]
When entering the password, we will see that the connection is successful and we will be able to transfer files:
There we can use the ls command to list the available directories, and we will see the uploads folder that we have created:
So simple we can restrict access thanks to sftp.
Thanks a lot for your explanation.
I have tried to implement but at the end I go an error when I try to list the content of the user’s root folder :
remote readdir(“/”): Permission denied
I will be glad if could help on this issue.
that is by design. you can only “talk” to directories below this level