Creating an SFTP only user account

Discussion in 'Mac OS X Lion (10.7)' started by haravikk, Apr 11, 2012.

  1. haravikk macrumors 65816

    May 1, 2005
    Okay, this is something I've searched for, but I've been finding all kinds of different methods which has me a bit confused as to what the best way to do this would be.

    So I'm hoping for some help with creating a user account whose sole purpose is for SFTP access to a single folder on my machine. I've enabled Remote Login to enable SFTP, and I now want to add a user which can sign in for SFTP access to a single folder.

    I've tried just creating a Sharing Only account, but this is no good as it can't connect via SFTP at all, even if given a path to a folder owned by that user. The only way to get it to connect seems to be to give it a home folder and a login shell, however this effectively turns it into a standard account, causing it to appear on the login screen etc., which I don't really want.

    So, I'm wondering what the best way is to create an account that can only login via SFTP, and access a single folder assigned to them (preferably forcing them to do so so I don't need to use absolute paths all the time).
  2. r0k macrumors 68040


    Mar 3, 2008
    This sort of thing is commonly done on Linux by replacing the default shell of a (typically bash or csh) user with a "noop" shell. Ftp and sftp still work but any command the user attempts to run will fail because they have no shell.

    I have a similar situation. I use a "junk" account for my scanner to send files to my Mac by ftp. Rather than attempt to force the account to "ftp only", I created a fairly obfuscated password for the account and programmed that password into the scanner. I then made sure the account was normal not admin.

    Another approach might be to run a third party ftp server which allows you to assign "made up" users and I've heard some third party ftp servers can be set to only allow access to one folder you designate.

    I'm the author of a small app that enables "plain old" ftp so older scanners and cameras can still send files to a Mac. I've found that my app works under Lion and Mountain Lion (despite the signing feature not quite working) but I've considered changing my approach to offer a standalone ftp "server" if Apple ever decides to remove the built-in ftp server from OS X.
  3. haravikk thread starter macrumors 65816

    May 1, 2005
    Isn't the default shell for a sharing-only account a "no-op" shell? I had to change to a normal shell in order to be able to use SFTP, otherwise it didn't work.

    I've managed to hide the account by enabling the Hide500Users option in, after changing the account's user id. However, I'm now stuck with the "Other" option on the login window, which I thought the Hide500Users option wasn't supposed to produce. Is there any way to get rid of this?
  4. Mattie Num Nums macrumors 68030

    Mattie Num Nums

    Mar 5, 2009
    Create a user and create a Group using dscl giving them SSH access and then finding the folder you would like that user to have access to and granting access.

    You can tell the loginwindow to show only username and password fields instead of other/listing users.
  5. haravikk thread starter macrumors 65816

    May 1, 2005
    Can you be more specific on the steps? I tried creating a test account like so:
    • Create sharing only account "test" in Users & Groups
    • Create group "SFTP Users" in Users & Groups
    • Add SFTP Users to allowed users under "Remote Login" option in Sharing.
    • Create folder /Users/test and chown to change ownership for test user.
    However, when I try to connect to SFTP (using Transmit) I just get a message complaining that the username or password were not accepted.

    I have to go into the advanced options for the user (in Users & Groups) and set a login shell and a home folder before I'm able to login via SFTP.
  6. Mattie Num Nums macrumors 68030

    Mattie Num Nums

    Mar 5, 2009
    Any particular reason you only want one file accessible? It will help me figure out the best way for you to achieve what you want.
  7. haravikk thread starter macrumors 65816

    May 1, 2005
    I just want to the restrict the user so that they're only accessing their own home folder. Ideally with no access elsewhere, so they can't even see other folders in the system.

    I'm not quite as fussy about this part, my main concern is just on giving the user SFTP access without them being usable for anything else, so they don't show up for logging in, shell access etc., only for SFTP. Unless shell access is necessary for SFTP, I've never been completely clear on that point, but I don't want the user for logging in normally.
  8. tigres macrumors 68040


    Aug 31, 2007
    Land of the Free-Waiting for Term Limits
    Very NICE r0k!

    Was looking for just this very thing all weekend, and here you are.
    I am picking up a SL server iMac (skipping the lion version), but should be able to do SMB, and ftp on that box with my business office scanner.

    Either way, should I ever have to brave the Lion server waters, glad to know I bookmarked your page.

    nice job :)

Share This Page