How can I create an SFTP user in CentOS?

centos users login ftp

94,279

Non-chroot access

If you don't have a FTP server setup, and you trust the user that will be logging in, not to go poking around your server too much, I'd be inclined to give them an account to SFTP into the system instead.

The CentOS wiki maintains a simple howto titled: Simple SFTP setup that makes this pretty pain free.

I say it's pain free because you literally just have to make the account and make sure that the firewall allows SSH traffic, make sure SSH the service is running, and you're pretty much done.

If sshd isn't already running:

$ /etc/init.d/sshd start

To add a user:

$ sudo useradd userX
$ sudo passwd userX
... set the password ...

When you're done with the account:

$ sudo userdel -r userX

Chroot access

If on the other hand you want to limit this user to a designated directory, the SFTP server included with SSH (openssh) provides a configuration that makes this easy to enable too. It's a bit more work but not too much. The steps are covered here in this tutorial titled: How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH).

Make these changes to your /etc/ssh/sshd_config file.

Subsystem       sftp    internal-sftp

## You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config

Match Group sftpusers
  ChrootDirectory /sftp/%u
  ForceCommand internal-sftp

Now you'll need to make the chrooted directory tree where this user will get locked into.

$ sudo mkdir -p /sftp/userX/{incoming,outgoing}
$ sudo chown guestuser:sftpusers /sftp/guestuser/{incoming,outgoing}

Permissions should look like the following:

$ ls -ld /sftp/guestuser/{incoming,outgoing}
drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming
drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/outgoing

The top level directories like this:

$ ls -ld /sftp /sftp/guestuser
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser

Don't forget to restart the sshd server:

$ sudo service sshd restart

Now create the userX account:

$ sudo useradd -g sftpusers -d /incoming -s /sbin/nologin userX
$ sudo passwd userX
... set password ...

You can check that the account was created correctly:

$ grep userX /etc/passwd
userX:x:500:500::/incoming:/sbin/nologin

When you're done with the account, delete it in the same way above:

$ sudo userdel -r userX

...and don't forget to remove the configuration file changes we made above, then restart sshd to make them active once more.

94,279

OC2PS

Updated on September 18, 2022

Comments

OC2PS over 1 year

I'd like to give temporary SFTP access to a support guy. How do I create an SFTP user? And how can I delete it once the job is done?

Also, how do I specify a home directory for them? Can I prevent them from accessing certain subdirectories within their home directory?

We use CentOS 6.3 and fzSftp
- S edwards over 10 years
  
  It depends on your configuration providing us your config file could help.
- OC2PS over 10 years
  
  What particular settings should I post?
- S edwards over 10 years
  
  the one of you ftp deamon
- slm over 10 years
  
  Are you sure you want FTP or SFTP? The reason I ask is that you listed fzsftp (filezilla sftp) which is the client that Filezilla uses for SFTP connections.
- OC2PS over 10 years
  
  Ah! I connected via FileZilla to SFTP, hence listed fzsftp...thought this was my server. SFTP would be fine, if you can help me with that. Thanks!
OC2PS over 10 years

Nice! How can I restrict the user to a particular directory, and prevent the user from accessing a couple of subdirectories within that directory?
S edwards over 10 years

bind the user inside its home folder and add symbolic link inside to the different directories you want to allow
slm over 10 years

@OC2PS - the above shows one method of chroot'ing the users, you can also chroot them to their home directory too. I generally break these users out into a designated area so that it's obvious when I look through /home/... who is really a user on a system. Though I run an actual SFTP server for work so my needs are slightly different.
OC2PS over 10 years

When I do sudo useradd -D userX, I get Usage: useradd [options] LOGIN
slm over 10 years

@OC2PS try useradd userX. Sorry I misread the man page for useradd.
Alexandre Laborde over 8 years

I guess guestuser should always be userX, right? And the user should be created before the directory, right?
Pikk about 7 years

I am getting [root@localhost ~]# chown macrouser:sftpusers /sftp/macrouser/{incoming,outgoing} chown: cannot access â/sftp/macrouser/incomingâ: No such file or directory chown: cannot access â/sftp/macrouser/outgoingâ: No such file or directory. Of course I added the user macrouser and the group according to that guide. grep macrouser /etc/passwd macrouser:x:1003:1003::/incoming:/sbin/nologin any idea?
slm about 7 years

@pikk those extra characters in the path "cannot access ..." Look like your issue.
Pikk about 7 years

There were not extra characters. Only spaces. I even deleted those spaces and added them back with the spacebar. Same issue. Issue resolved creating this folder