On this tutorial I will show how to create SFTP accounts limited to a single directory. The SFTP account can be assigned to a single user or to groups. I will cover both situations on this tutorial.
The first thing we need is to install openssh:
sudo apt-get install openssh-server
Create the user
For creating the user just run the following command:
sudo adduser Billy
Prevent user from accessing ssh
To increase security, the user shouldn’t be allowed to use ssh:
sudo usermod -s /bin/false Billy
Configure ssh
Now we need to modify the ssh configuration on file /etc/ssh/sshd_config replacing the following line:
Subsystem sftp /usr/lib/openssh/sftp-server
By this one:
Subsystem sftp internal-sftp
internal-sftp is much newer than sftp-server, The sftp-server is still the default option for backward compatibility. Nevertheless internal-sftp supports all sftp-server features and also limiting access to users and groups. Furthermore it has better performance, because it doesn’t need to run new processes for SFTP.
Setup user’s default root path
We need to set user’s default path to the root directory: “/”
sudo usermod -d / Billy
This is necessary because the path that will be defined on “ChrootDirectory” will be relative to this root path.
Setup the SFTP folder
The “ChrootDirectory” folder must be owned by root:
sudo chown root.root /PATH/TO/THE/FOLDER/WITH/SFTP/ACCESS
Create limited account for a single user
Go to the end of the file sshd_config and add these lines:
Match User Billy ChrootDirectory /PATH/TO/THE/FOLDER/WITH/SFTP/ACCESS PermitTunnel no X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
Be careful with the command ForceCommand internal-sftp it will force the user to connect only by sftp, the ssh access will be disabled!
Note.- You can also add PasswordAuthentication yes to allow password authentication, then you should add a password to your user sudo passwd Billy. If this option is disabled you will need to use RSA keys instead.
Create limited account for a group
Create the group:
sudo addgroup sftplimited
Add user to group:
sudo usermod -g sftplimited Billy
Now go to the end of the file sshd_config and add these lines:
Match group sftplimited ChrootDirectory /PATH/TO/THE/FOLDER/WITH/SFTP/ACCESS PermitTunnel no X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
Be careful with the command ForceCommand internal-sftp it will force this group to connect only by sftp, the ssh access will be disabled!
Note.- You can also add PasswordAuthentication yes to allow password authentication, then you should add a password to your user sudo passwd Billy. If this option is disabled you will need to use RSA keys instead.
Try it out
Restart ssh service to load all changes:
sudo service ssh restart
Try the SFTP connection:
sftp [email protected]
Problems?
If it doesn’t work for some reason, try to run ssh in debug mode (you will see errors on console):
/usr/sbin/sshd -ddd
Comments 3
Thank you so much for this tutorial. I am trying to give my new Developer access to my WordPress Plugin directory using SFTP (hosted on Digital Ocean). I get up to the part where you “Setup the SFTP Folder” and get a bit lost since I don’t need to create a new directory but instead open up access to Plugins, which already exists. What would the steps be to open up access to an existing directory?
Also, if after I create a new user, I want to create a new Group and add them to it, what is the script to do that? Would you recommend I create a Group or just focus on the user access if I don’t plan on having a lot of other SFTP users in the future.
Thank you again!
Following this guide locked me completely out of the SSH instance. I was a bit worried changing `Subsystem sftp internal-sftp`. Could be great with a warning for this!
I wanted to add a new user to limited access, not lock out all accounts
Hi
I have problem when i try connect to appears
Authentication log (see session log for details):
Using username “test”.
Authentication failed.
I use winscp and other accounts work without this setting