SFTP (SSH File Transfer Protocol) is a secure file protocol used to access, manage, and transfer files over an encrypted SSH transport session. Here SFTP only user means to create an account to access server via SFTP only. That user doesn’t have SSH shell access. This allows you a secure channel to provide limited access to specific files and directories.

This guide describes you to create SFTP only user without shell access on an Ubuntu and Debian systems.

Step 1- Creating a New Account

First of all, create a user account in your system to use as sftp user. The following command will create a new account named sftpuser with no shell access. You can change the username of your choice

sudo adduser --shell /bin/false sftpuser 

Step 2 – Create Directory for SFTP

Now, create the directory structure to be accessible by the sftp user.

sudo mkdir -p /var/sftp/files 

Here we will allow user to access “files” directory only.

Now, change the ownership of the files directory to the sftpuser. So that sftpuser can read and write on this directory only.

sudo chown sftpuser:sftpuser /var/sftp/files 

And set the owner and group owner of the /var/sftp to root. The root user has read/write access on this access. Group member and other account have only read and execute permissions.

sudo chown root:root /var/sftp 
sudo chmod 755 /var/sftp 

Step 3 – Configure sshd for SFTP Only

/etc/ssh/sshd_config is the main configuration file of the OpenSSH server. Be careful with changing in this configuration file, because any mistake can lead connection lost.

Eit the SSH configuration file in a text editor:

sudo vim /etc/ssh/sshd_config 

and add the following settings at end of file.

Match User sftpuser
	ForceCommand internal-sftp
	PasswordAuthentication yes
	ChrootDirectory /var/sftp
	PermitTunnel no
	AllowAgentForwarding no
	AllowTcpForwarding no
	X11Forwarding no

Save the file and close it. Here the directives are:

  • Match User Defines the username, on which the SFTP only configurations applied. In our case it is: sftpuser
  • ForceCommand internal-sftp enforce the SFTP only access to user and restrict for the shell access.
  • PasswordAuthentication yes allows password authentication for the user.
  • ChrootDirectory /var/sftp Restrict user to access directories under this directory only. Here /var/sftp is act as root directory of the user.
  • AllowAgentForwarding no Specifies whether ssh-agent forwarding is permitted. The default is yes.
  • AllowTcpForwarding no Specifies whether TCP forwarding is permitted. The default is yes.
  • X11Forwarding no Specified where the graphical application is permitted for not

Restart SSH service to apply new settings:

sudo systemctl restart ssh 

That’s it. You have successfully completed the instructions to create a SFTP only user on a Debian based systems.

Step 4 – Security Tips (Options)

Here is some basic but important security tips for SFTP accounts on a productions environment.

  1. Run SSH server on a non-standard port
  2. Disallow the password authentication and configure key based authentication
  3. Make sure the firewall is restricted for specific IP addresses only
  4. And keep the openssh package up to date


This tutorial describes you to create a sftp only user account on Ubuntu system. Disabled shell access for the same account to restrict user to sftp access only.