Published on January 10, 2026

SFTP Only

By Greg Gallardo

Overview

Every once in a while I have to share files with users who aren't allowed to use free file sharing services such as Google Drive or DropBox. One way around this is setting up an SFTP only account on a public facing server that I control. The example in this post was setup on an Ubuntu 20.04 server.

User and Group Setup

The first thing to do is create a group specifically for SFTP-only access.

  sudo addgroup sftpusers

The output will look something like this

admin@myserver:~$ sudo addgroup sftpusers
Adding group `sftpusers' (GID 1095) ...
Done.

Next, create a SFTP-only user.

 sudo adduser fred5617

The output will look something like this:

admin@myserver:~$ sudo adduser fred5617
Adding user `fred5617' ...
Adding new group `fred5617' (1087) ...
Adding new user `fred5617' (1087) with group `fred5617' ...
Creating home directory `/home/fred5617' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for fred5617
Enter the new value, or press ENTER for the default
        Full Name []: sftp only
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] y

While the new account does have a home directory in /home, I prefer to setup a separate folder for SFTP only accounts.

admin@myserver:~$ sudo mkdir -p /data/fred5617
admin@myserver:~$ sudo chown root:root /data/fred5617
admin@myserver:~$ sudo chmod 755 /data/fred5617

Add the new user to the SFTP group

sudo adduser fred5617 sftpusers

The output should look something like this:

admin@myserver:~$ sudo adduser fred5617 sftpusers
Adding user `fred5617' to group `sftpusers' ...
Adding user fred5617 to group sftpusers
Done.

OpenSSH Server Configuration

Configure the SSH server to allow SFTP access for the sftpusers group. To do this you edit the SSH configuration file at /etc/ssh/sshd_config.

Open /etc/ssh/sshd_config with a text editor using sudo and look for the Subsystem sftp section

# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

Add the following block of code at the end of the configuration file

Subsystem       sftp    /usr/lib/openssh/sftp-server
Match Group sftpusers
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no
    X11Forwarding no
    #PasswordAuthentication yes

Note:

%h : Sets the home directory based on the user name
AllowTcpForwarding no : Stops the creation of forwarding connections. This ensures that they can only use SFTP and won't be creating additional network tunnels.
ForceCommand internal-sftp: Enforce a strict SFTP-only environment for the user. This prevents them from accessing the shell or executing any other commands. The ForceCommand directive takes precedence over the Subsystem sftp line. When ForceCommand is set to internal-sftp, the user will be restricted to the internal SFTP subsystem, regardless of what is specified in the Subsystem sftp line.

restart the server

sudo service ssh restart