1. Forum
  2. FidoNet
  3. alt.os.linux.debian

  • How do I set up a SFTP server for only file transfers in my Debian stab

    From Ant@3:633/10 to All on Sunday, May 03, 2026 22:37:07
    Subject: How do I set up a SFTP server for only file transfers in my Debian stable/Trixie?

    Hello,

    How do I set up a SFTP server for only file transfers in my Debian stable/Trixie? Download and uploads only. No SSH access, accessing other directories, etc.

    Thank you for reading and hopefully answering soon. :)
    --
    "Be joyful in hope, patient in affliction, faithful in prayer." --Romans 12:12. May the 4th eve be with you!
    Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
    /\___/\ Ant(Dude) @ http://aqfl.net & http://antfarm.home.dhs.org.
    / /\ /\ \ Please nuke ANT if replying by e-mail.
    | |o o| |
    \ _ /
    ( )

    --- PyGate Linux v1.5.14
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From Lawrence D?Oliveiro@3:633/10 to All on Monday, May 04, 2026 05:43:32
    Subject: Re: How do I set up a SFTP server for only file transfers in my Debian stable/Trixie?

    On Sun, 3 May 2026 22:37:07 -0000 (UTC), Ant wrote:

    How do I set up a SFTP server for only file transfers in my Debian stable/Trixie? Download and uploads only. No SSH access, accessing
    other directories, etc.

    ForceCommand internal-sftp

    <https://manpages.debian.org/sshd_config(5)>

    --- PyGate Linux v1.5.14
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From Tom Mix@3:633/10 to All on Saturday, May 16, 2026 15:37:44
    Subject: Re: How do I set up a SFTP server for only file transfers in my Debian stable/Trixie?

    On 2026-05-03, Ant <ant@zimage.comANT> wrote:
    Hello,

    How do I set up a SFTP server for only file transfers in my Debian stable/Trixie? Download and uploads only. No SSH access, accessing other directories, etc.

    Thank you for reading and hopefully answering soon. :)

    OpenSSH can already do this without needing anything fancy.

    What you want is a chrooted SFTP setup with the user forced into
    internal-sftp and no shell access.

    Install the server if it is not already there:

    sudo apt install openssh-server

    Make a group for SFTP-only users:

    sudo groupadd sftpusers

    Create the user:

    sudo useradd -m -g sftpusers -s /usr/sbin/nologin username
    sudo passwd username

    Now make the jailed directory structure:

    sudo mkdir -p /sftp/username/uploads

    Important part here: the top directory has to belong to root or sshd
    will refuse the login.

    sudo chown root:root /sftp/username
    sudo chmod 755 /sftp/username

    Then hand the writable directory to the user:

    sudo chown username:sftpusers /sftp/username/uploads

    Now edit:

    /etc/ssh/sshd_config

    Add this at the bottom:

    Match Group sftpusers
    ChrootDirectory /sftp/%u
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no

    Restart ssh:

    sudo systemctl restart ssh

    That gives them file transfers only. No shell, no wandering around the filesystem, no SSH login.

    --
    Tom Mix

    --- PyGate Linux v1.5.14
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From Ant@3:633/10 to All on Saturday, May 16, 2026 16:40:03
    Subject: Re: How do I set up a SFTP server for only file transfers in my Debian stable/Trixie?

    Thanks. :)


    Tom Mix <tommix@dev.null> wrote:
    On 2026-05-03, Ant <ant@zimage.comANT> wrote:
    Hello,

    How do I set up a SFTP server for only file transfers in my Debian stable/Trixie? Download and uploads only. No SSH access, accessing other directories, etc.

    Thank you for reading and hopefully answering soon. :)

    OpenSSH can already do this without needing anything fancy.

    What you want is a chrooted SFTP setup with the user forced into internal-sftp and no shell access.

    Install the server if it is not already there:

    sudo apt install openssh-server

    Make a group for SFTP-only users:

    sudo groupadd sftpusers

    Create the user:

    sudo useradd -m -g sftpusers -s /usr/sbin/nologin username
    sudo passwd username

    Now make the jailed directory structure:

    sudo mkdir -p /sftp/username/uploads

    Important part here: the top directory has to belong to root or sshd
    will refuse the login.

    sudo chown root:root /sftp/username
    sudo chmod 755 /sftp/username

    Then hand the writable directory to the user:

    sudo chown username:sftpusers /sftp/username/uploads

    Now edit:

    /etc/ssh/sshd_config

    Add this at the bottom:

    Match Group sftpusers
    ChrootDirectory /sftp/%u
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no

    Restart ssh:

    sudo systemctl restart ssh

    That gives them file transfers only. No shell, no wandering around the filesystem, no SSH login.


    --
    "The Lord your God is with you, he is mighty to save. He will take great delight in you, he will quiet you with his love, he will rejoice over you with singing." ?Zephaniah 3:17. Slammy &y allergy week! :(
    Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
    /\___/\ Ant(Dude) @ http://aqfl.net & http://antfarm.home.dhs.org.
    / /\ /\ \ Please nuke ANT if replying by e-mail.
    | |o o| |
    \ _ /
    ( )

    --- PyGate Linux v1.5.14
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)