# Setting up SFTP only accounts



## gkontos (Dec 9, 2010)

I am sorry if this has been discussed before but I couldn't find any related threads.
What I want is to create some user accounts that will not be able to get a shell but will be able to sftp or scp to their home directories. If I add a user like this

```
gkontos:*:1001:1001:Full Name:/home/gkontos:[B]/usr/sbin/nologin[/B]
```
then the user will not be able to sftp to the server. Any suggestion will be much appreciated


----------



## jrm@ (Dec 9, 2010)

Have a look at the shells/scponly port.


----------



## beesatmsu (Dec 9, 2010)

I know vsftp can do this via virtual users. these are not regular unix users but only for ftp purpose so no shell and not setup as adduser but only in conf file of vsftp.

but vsftp is not a secure ftp program. check yours for virtual users.


----------



## gkontos (Dec 10, 2010)

mingrone said:
			
		

> Have a look at the shells/scponly port.



Looks good I will test it.


----------



## rghq (Dec 11, 2010)

For SFTP you can also try the forcecommand sshd_config directive


```
Subsystem sftp internal-sftp

Match group sftp_users
 AllowTCPForwarding No
 AllowX11Forwarding No
 ChrootDirectory %H
 ForceCommand internal-sftp
```

Or by "Match user" - then login shell etc. can be set to nologin


----------



## olav (Dec 15, 2010)

Another alternative would be rssh. Though I recommend what rghq suggested


----------



## anomie (Dec 15, 2010)

rghq said:
			
		

> For SFTP you can also try the forcecommand sshd_config directive



IMHO, this is the correct answer. There was a time when I regularly used shells/scponly and/or shells/rssh, but the OpenSSH team has elegantly solved this problem as of their 4.8 release. 

So, using baked in, _comparable_ features is preferable to installing third-party tools, when possible.


----------

