How can I create a user only for sftp?

Solution 1:

The command you should use to change the shell is chsh. The nologin shell can be /sbin/nologin or /usr/sbin/nologin (check which you have by looking in /etc/shells) but /bin/false would probably be a better choice.

chsh -s /bin/false user

You should consider setting up something like scponly which will do exactly what you want.

Solution 2:

You should also be able to do it with OpenSSH 4.9 and up, with which you can additionally chroot the user for increased security.

In your /etc/ssh/sshd_config:

Match User user
ChrootDirectory /home/user
ForceCommand internal-sftp
AllowTcpForwarding no

Then run:

chsh -s /bin/false user
chown root:root /home/user
mkdir /home/user/uploads
chown user /home/user/uploads

The user will only be able to write in /home/user/uploads.

https://debian-administration.org/article/590/OpenSSH_SFTP_chroot_with_ChrootDirectory


Solution 3:

I think the best way is with mysecureshell

http://mysecureshell.sourceforge.net/en/index.html

You can chroot a user with this easily and even limit bandwidth if needed.