How can I create an SFTP user in CentOS?
Non-chroot access
If you don't have a FTP server setup, and you trust the user that will be logging in, not to go poking around your server too much, I'd be inclined to give them an account to SFTP into the system instead.
The CentOS wiki maintains a simple howto titled: Simple SFTP setup that makes this pretty pain free.
I say it's pain free because you literally just have to make the account and make sure that the firewall allows SSH traffic, make sure SSH the service is running, and you're pretty much done.
If sshd
isn't already running:
$ /etc/init.d/sshd start
To add a user:
$ sudo useradd userX
$ sudo passwd userX
... set the password ...
When you're done with the account:
$ sudo userdel -r userX
Chroot access
If on the other hand you want to limit this user to a designated directory, the SFTP server included with SSH (openssh) provides a configuration that makes this easy to enable too. It's a bit more work but not too much. The steps are covered here in this tutorial titled: How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH).
Make these changes to your /etc/ssh/sshd_config
file.
Subsystem sftp internal-sftp
## You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config
Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftp
Now you'll need to make the chrooted directory tree where this user will get locked into.
$ sudo mkdir -p /sftp/userX/{incoming,outgoing}
$ sudo chown guestuser:sftpusers /sftp/guestuser/{incoming,outgoing}
Permissions should look like the following:
$ ls -ld /sftp/guestuser/{incoming,outgoing}
drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming
drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/outgoing
The top level directories like this:
$ ls -ld /sftp /sftp/guestuser
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser
Don't forget to restart the sshd
server:
$ sudo service sshd restart
Now create the userX account:
$ sudo useradd -g sftpusers -d /incoming -s /sbin/nologin userX
$ sudo passwd userX
... set password ...
You can check that the account was created correctly:
$ grep userX /etc/passwd
userX:x:500:500::/incoming:/sbin/nologin
When you're done with the account, delete it in the same way above:
$ sudo userdel -r userX
...and don't forget to remove the configuration file changes we made above, then restart sshd
to make them active once more.
Related videos on Youtube
OC2PS
Updated on September 18, 2022Comments
-
OC2PS over 1 year
I'd like to give temporary SFTP access to a support guy. How do I create an SFTP user? And how can I delete it once the job is done?
Also, how do I specify a home directory for them? Can I prevent them from accessing certain subdirectories within their home directory?
We use CentOS 6.3 and fzSftp
-
S edwards over 10 yearsIt depends on your configuration providing us your config file could help.
-
OC2PS over 10 yearsWhat particular settings should I post?
-
S edwards over 10 yearsthe one of you ftp deamon
-
slm over 10 yearsAre you sure you want FTP or SFTP? The reason I ask is that you listed fzsftp (filezilla sftp) which is the client that Filezilla uses for SFTP connections.
-
OC2PS over 10 yearsAh! I connected via FileZilla to SFTP, hence listed fzsftp...thought this was my server. SFTP would be fine, if you can help me with that. Thanks!
-
-
OC2PS over 10 yearsNice! How can I restrict the user to a particular directory, and prevent the user from accessing a couple of subdirectories within that directory?
-
S edwards over 10 yearsbind the user inside its home folder and add symbolic link inside to the different directories you want to allow
-
slm over 10 years@OC2PS - the above shows one method of chroot'ing the users, you can also chroot them to their home directory too. I generally break these users out into a designated area so that it's obvious when I look through
/home/...
who is really a user on a system. Though I run an actual SFTP server for work so my needs are slightly different. -
OC2PS over 10 yearsWhen I do sudo useradd -D userX, I get Usage: useradd [options] LOGIN
-
slm over 10 years@OC2PS try
useradd userX
. Sorry I misread the man page foruseradd
. -
Alexandre Laborde over 8 yearsI guess
guestuser
should always beuserX
, right? And the user should be created before the directory, right? -
Pikk about 7 yearsI am getting
[root@localhost ~]# chown macrouser:sftpusers /sftp/macrouser/{incoming,outgoing} chown: cannot access â/sftp/macrouser/incomingâ: No such file or directory chown: cannot access â/sftp/macrouser/outgoingâ: No such file or directory
. Of course I added the user macrouser and the group according to that guide.grep macrouser /etc/passwd macrouser:x:1003:1003::/incoming:/sbin/nologin
any idea? -
slm about 7 years@pikk those extra characters in the path "cannot access ..." Look like your issue.
-
Pikk about 7 yearsThere were not extra characters. Only spaces. I even deleted those spaces and added them back with the spacebar. Same issue. Issue resolved creating this folder