how to limit users in sftp/ssh?


I am right now trying to setup a ssh, or sftp server, so that a friend of me in Germany can copy files to and from my computer over the internet. Just using fish:// and so on in his browser.

For that I have set up a new (2nd) user and created a new group for him, so that he just has limited permissions and that he can not see what I have in my /home for example.

During some tests I found out that this user can see remotely which services and programs I have running at the moment. He can see them when he logs in via ssh in the terminal.
I don´t know if he also could kill them, but I mean, when a cracker is on my machine, he could see what services are running and may know which flaws and security holes he can use to crack my machine.
I know that this cracker at first needs the username and password, but even when I use strong and sophisticated ones, I still have a bad feeling about that.

Is there a way to limit a user so restrictly that he just can copy something into his /home and maybe create a new folder and thats it? No looking around… no system stuff to see?
Is this possible? If so: how? I have searched in yast but I did not find any options, neither in the user setup nor in the groups…

any tip and hint would be very much appreciated!

thanks in advance


You can set up the account so that only sftp is allowed, not ssh or scp. Then you can confine the sftp to a chroot jail. There are tutorials on how to do this, here’s one:

OpenSSH SFTP chroot() with ChrootDirectory

You’ll have to configure this by editing the sshd config file, I’m not aware of YaST supporting this.

This only works with the internal-sftp server which was introduced starting in 4.8. You will see some old tutorials showing you some convoluted way involving building a custom sftp server, etc. Don’t follow those. It can be done with the standard ssh/sftp package from 4.8 onwards.


thanks for the answer. To be honest, I did not understand what is written in this linked tutorial - this is always the same… I never understood tutorials, written by Debian folks… :’(


how do I remove the ssh permission from the user account? I did not find anything in yast related to that. I also searched in the groups because as I understood it (maybe its wrong) that the group makes the permissions for the user.
I created a new group for this user and did not add anything to it. But I also did not remove something (how?)

would be cool if someone had an answer on that!

thanks & regards

There’s no such thing as a “ssh permission” for the user. What that tutorial teaches you to do is specify that certain logins will not get a shell but only get the internal sftp-server.

Yes, YAST supports this.

  1. Select and install a YAST-supported FTP application like PureFTP.
  2. If necessary, install YAST FTP addon package
  3. FTP applet should appear in YAST under Network Services. configure accordingly which includes the radio button to require SFTP (Expert Settings window).

I’ve observed this setting but haven’t used it (I prefer HTTPS for public file access, use FTP only behind a firewall. Typically HTTPS becomes unusable only for very large files). Am curious why this YAST setting doesn’t require assigning a specific certificate, don’t know if this means a cert is auto-generated or the cert is used only for encryption and not for authentication.

If YAST works for you, it can mean it should only take no more than 10 minutes for initial setup and it becomes very easy to modify/enable/disable on demand.


Er, SFTP is a different protocol from FTP, SFTP is actually file transfer over SSH. FTP is a two port protocol. SSH/SFTP is a single port protocol.

There is a variant of FTP called FTPS which uses TLS. FTPS != SFTP.

The similarity of the acronyms is a constant source of confusion.

You’re right of course, I wasn’t paying attention.
The YAST applet does configure SSL/TLS so it’s FTPS… so my comment about why a certificate isn’t specified is still likely a detail some might consider important.