May 25, 2017

How to Set Up an SFTP User on FreeBSD

FreeBSD Logo

Do you need a secure way to give people access to files on your FreeBSD server? While FTP is not a good option because passwords are transfered in plain text, you should use the more secure SFTP. SFTP is based on SSH which encrypts all passwords and data. With this option there is no need to install a separate service as SSH is on almost every server.
All you need to do is to configure SSH properly. In this tutorial we show you to give users limited access to your system. Shell login will be disabled for these users, so they cannot run commands or play around with files they shouldn’t.

Root access is required to edit the following files and to execute commands. Log in as root (su) or simply prepend sudo to all commands that require root privileges.

Create a SFTP only group

This is the group where the SFTP only users will be added.

pw groupadd sftponly

Configure SSH

Open the sshd_config file:

vi /etc/ssh/sshd_config

Add these lines at the bottom of the file and change the chroot directory to your needs.

Match Group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Add a new SFTP user

Add a new user to your system and set the login group to sftponly.

adduser
Username: sftpuser
Full name: SFTP user
Uid (Leave empty for default):
Login group [sftpuser]: sftponly
Login group is sftponly. Invite sftpuser into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash rbash nologin) [sh]:
Home directory [/home/sftpuser]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]:
Username   : sftpuser
Password   : *****
Full Name  : SFTP user
Uid        : 1006
Class      :
Groups     : sftponly
Home       : /home/sftpuser
Home Mode  : root
Shell      : /bin/sh
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (sftpuser) to the user database.

The chroot directory needs to be owned by root so that the user/group can log in.

chown root:sftponly /home/sftpuser

Create a new directory within the users home directory where files can be uploaded.
Change the ownership of this directory to the new user and the sftponly group.

mkdir /home/sftpuser/files
chown sftpuser:sftponly /home/sftpuser/files

Restart the SSH server

/etc/rc.d/sshd restart

Test the new SFTP only user

Finally connect to your server with the SFTP only user, navigate to the files directory, upload some files and test that shell login is disabled for this user. Make sure that your client supports SFTP.

Comments

  1. Lars avlastenok says:

    I recognize that this is a little old post.
    however i’ll give it a try, is there a way to dedicate more than 1 directorie per user ?
    Lets say I have a person thats doing 2 projects and they each have their own folder he would then need 2 logins or can I assign 2 folders to his user account?

Speak Your Mind