Creating an additional user for sFTP can be useful because it improves security by allowing each user to have separate credentials and limiting their access to only certain directories on the server. It also allows you to differentiate access to the server between different users, giving them only the necessary access rights.
Restricts user access rights to certain directories on the server and does not grant them full access to the server's file system.
In general, creating a separate user for sFTP helps improve security, improve access control on the server, and make it easier to audit server access.
To create an "admin" user with limited access to the server via the sFTP protocol and granting him access only to his own directory, you can follow these steps:
Creating an "admin" user
To create the "admin" user, you need to run the following command in the terminal:
adduser admin
When you run the command, you will need to enter the password for the "admin" user, as well as additional information. By default, when creating an "admin" user, the home directory "/home/admin" will be assigned to it.
Create directory for "admin" user
After creating the "admin" user, you need to create a directory, if necessary, in which he will have access to work. To do this, run the following commands:
mkdir /sftp
mkdir /sftp/admin
The first command will create the "/sftp" directory, which will be used as the root directory for sFTP. The second command will create the "/sftp/admin" directory, which will only be accessible by the "admin" user.
Or this can be done with a single command with the -p switch:
mkdir -p /sftp/admin
sFTP setup
To limit the access of the "admin" user to only his "/sftp/admin" directory, you need to make changes to the SSH configuration file (/etc/ssh/sshd_config). Open the file in a text editor and add the following lines to the end of the file:
Match User admin
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /sftp/admin
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Where:
Match User admin - Specifies that the following options will only apply to the "admin" user.
ForceCommand internal-sftp - specifies that when connecting via sFTP, the "admin" user will be limited to access only the built-in sFTP server, and all other commands will be blocked.
PasswordAuthentication yes - Enables password authentication.
ChrootDirectory /sftp/admin - restricts user access to the specified directory "/" and its subdirectories.
PermitTunnel no - prohibits the creation of tunnels.
AllowAgentForwarding no - prohibits the use of an authorization agent.
AllowTcpForwarding no - disables redirection of TCP traffic.
X11Forwarding no - disables forwarding of graphical applications.
These settings indicate that when connecting via sFTP, the "admin" user will be limited to accessing the "/sftp/admin" directory only. The user will not be able to navigate to a level above this directory or access other directories on the server.
Restarting the SSH Service
After making changes to the SSH configuration file, you must restart the SSH service on the server. To do this, run the following command:
systemctl restart sshd
Connecting to the server via sFTP
Now the "admin" user can connect to the server via the sFTP protocol using his login and password. To do this, you can use any FTP client that supports the SFTP protocol (for example, FileZilla, WinSCP or Cyberduck). When connecting, the user must specify the IP address of the server.
As you can see, creating and adding another user to connect via sFTP is easy. And this, in turn, makes it easier to audit access to the server and establish responsibility in case of problems.