How To Enable & Configure SFTP in CentOS 7

Steps you must follow to know how to enable and configure SFTP in CentOS 7

SFTP (SSH File Transfer Protocol) is different from the FTP type although it supports all the FTP clients that we find today. Although SFTP has been implemented to add a security layer, it presents an access level vulnerability since, being a standard, it grants total access to system users for file transfer and use of the Shell.

Today I will teach how to configure CentOS 7 to prevent a particular user from having SSH access with the freedom to manipulate the system through the SFTP protocol.

Step 1: User Creation

First of all, we will create the user that will have access restricted by SSH, in this case, we will call it access, we execute the following:

sudo adduser access

Next, we assign a password to the new user by running the following:

sudo passwd access

Step 2: Create Directory for File Transfer

Once our user is created, the next step is to create the directory where SFTP will act, preventing access and this must be configured with specific parameters.

We will create a directory called /var/sftp/uploads in which the /var/sftp is part of the root user, and no other user will have the current permissions, and in the subdirectory /var/sftp/uploads the owner will be the new user access. We create the directory using the following line:

sudo mkdir -p /var/sftp/uploads

Next, we establish the root user as owner in the indicated directory:

sudo chown root:root /var/sftp

We grant write permissions to the root user and read to the other users in the suggested route:

sudo chmod 755 /var/sftp

Now modify the owner of uploads to be the user access, we execute the following:

sudo chown access:access /var/sftp/uploads

Step 3: Restrict Directory Access

In this step we will see how to restrict the access by the terminal to the user access but if the transfer of files will be possible. For this we must edit the SSH server with the preferred editor, vim or nano, in the following path:

sudo nano /etc/ssh/sshd_config

We will see the following:

In the final part of the file we add the following:

Match User access

ForceCommand internal-sftp

PasswordAuthentication yes

ChrootDirectory /var/sftp

PermitTunnel no

AllowAgentForwarding no

AllowTcpForwarding no

X11Forwarding no

Save the changes using the key combination Ctrl + O and exit the editor using the Ctrl + X keys.

Execute the following command to apply the changes in SSH:

sudo systemctl restart sshd

Step 4: Verify SSH Connection

With this configured it will be time to validate the access through SSH and verify that only the transfer of files will be possible. For this we go to the connection through SSH which in this case will be.

ssh [email protected]

Once we enter the access credentials we will see the following message:

With this, we have verified that the connection will be closed through SSH. Now we will try the connection using the sftp protocol:

sftp [email protected]

When entering the password, we will see that the connection is successful and we will be able to transfer files:

There we can use the ls command to list the available directories, and we will see the uploads folder that we have created:

So simple we can restrict access thanks to sftp.

Similar Posts


  1. Hello,
    Thanks a lot for your explanation.
    I have tried to implement but at the end I go an error when I try to list the content of the user’s root folder :

    remote readdir(“/”): Permission denied

    I will be glad if could help on this issue.


Leave a Reply

Your email address will not be published. Required fields are marked *