1. Forum
  2. USENET
  3. alt.os.linux.debian

  • How do I set up a SFTP server for only file transfers in my Debian stable/Trixie?

    From ant@ant@zimage.comANT (Ant) to alt.os.linux.debian on Sun May 3 22:37:07 2026
    From Newsgroup: alt.os.linux.debian

    Hello,

    How do I set up a SFTP server for only file transfers in my Debian stable/Trixie? Download and uploads only. No SSH access, accessing other directories, etc.

    Thank you for reading and hopefully answering soon. :)
    --
    "Be joyful in hope, patient in affliction, faithful in prayer." --Romans 12:12. May the 4th eve be with you!
    Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
    /\___/\ Ant(Dude) @ http://aqfl.net & http://antfarm.home.dhs.org.
    / /\ /\ \ Please nuke ANT if replying by e-mail.
    | |o o| |
    \ _ /
    ( )
    --- Synchronet 3.21f-Linux NewsLink 1.2
  • From Lawrence =?iso-8859-13?q?D=FFOliveiro?=@ldo@nz.invalid to alt.os.linux.debian on Mon May 4 05:43:32 2026
    From Newsgroup: alt.os.linux.debian

    On Sun, 3 May 2026 22:37:07 -0000 (UTC), Ant wrote:

    How do I set up a SFTP server for only file transfers in my Debian stable/Trixie? Download and uploads only. No SSH access, accessing
    other directories, etc.

    ForceCommand internal-sftp

    <https://manpages.debian.org/sshd_config(5)>
    --- Synchronet 3.21f-Linux NewsLink 1.2
  • From Tom Mix@tommix@dev.null to alt.os.linux.debian on Sat May 16 15:37:44 2026
    From Newsgroup: alt.os.linux.debian

    On 2026-05-03, Ant <ant@zimage.comANT> wrote:
    Hello,

    How do I set up a SFTP server for only file transfers in my Debian stable/Trixie? Download and uploads only. No SSH access, accessing other directories, etc.

    Thank you for reading and hopefully answering soon. :)

    OpenSSH can already do this without needing anything fancy.

    What you want is a chrooted SFTP setup with the user forced into
    internal-sftp and no shell access.

    Install the server if it is not already there:

    sudo apt install openssh-server

    Make a group for SFTP-only users:

    sudo groupadd sftpusers

    Create the user:

    sudo useradd -m -g sftpusers -s /usr/sbin/nologin username
    sudo passwd username

    Now make the jailed directory structure:

    sudo mkdir -p /sftp/username/uploads

    Important part here: the top directory has to belong to root or sshd
    will refuse the login.

    sudo chown root:root /sftp/username
    sudo chmod 755 /sftp/username

    Then hand the writable directory to the user:

    sudo chown username:sftpusers /sftp/username/uploads

    Now edit:

    /etc/ssh/sshd_config

    Add this at the bottom:

    Match Group sftpusers
    ChrootDirectory /sftp/%u
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no

    Restart ssh:

    sudo systemctl restart ssh

    That gives them file transfers only. No shell, no wandering around the filesystem, no SSH login.
    --
    Tom Mix
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From ant@ant@zimage.comANT (Ant) to alt.os.linux.debian on Sat May 16 16:40:03 2026
    From Newsgroup: alt.os.linux.debian

    Thanks. :)


    Tom Mix <tommix@dev.null> wrote:
    On 2026-05-03, Ant <ant@zimage.comANT> wrote:
    Hello,

    How do I set up a SFTP server for only file transfers in my Debian stable/Trixie? Download and uploads only. No SSH access, accessing other directories, etc.

    Thank you for reading and hopefully answering soon. :)

    OpenSSH can already do this without needing anything fancy.

    What you want is a chrooted SFTP setup with the user forced into internal-sftp and no shell access.

    Install the server if it is not already there:

    sudo apt install openssh-server

    Make a group for SFTP-only users:

    sudo groupadd sftpusers

    Create the user:

    sudo useradd -m -g sftpusers -s /usr/sbin/nologin username
    sudo passwd username

    Now make the jailed directory structure:

    sudo mkdir -p /sftp/username/uploads

    Important part here: the top directory has to belong to root or sshd
    will refuse the login.

    sudo chown root:root /sftp/username
    sudo chmod 755 /sftp/username

    Then hand the writable directory to the user:

    sudo chown username:sftpusers /sftp/username/uploads

    Now edit:

    /etc/ssh/sshd_config

    Add this at the bottom:

    Match Group sftpusers
    ChrootDirectory /sftp/%u
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no

    Restart ssh:

    sudo systemctl restart ssh

    That gives them file transfers only. No shell, no wandering around the filesystem, no SSH login.
    --
    "The Lord your God is with you, he is mighty to save. He will take great delight in you, he will quiet you with his love, he will rejoice over you with singing." ?Zephaniah 3:17. Slammy &y allergy week! :(
    Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
    /\___/\ Ant(Dude) @ http://aqfl.net & http://antfarm.home.dhs.org.
    / /\ /\ \ Please nuke ANT if replying by e-mail.
    | |o o| |
    \ _ /
    ( )
    --- Synchronet 3.22a-Linux NewsLink 1.2