How to create SFTP access to a single folder on Linux

On this tutorial I will show how to create SFTP accounts limited to a single directory. The SFTP account can be assigned to a single user or to groups. I will cover both situations on this tutorial.

The first thing we need is to install openssh:
sudo apt-get install openssh-server

Create the user

For creating the user just run the following command:
sudo adduser Billy

Prevent user from accessing ssh

To increase security, the user shouldn’t be allowed to use ssh:
sudo usermod -s /bin/false Billy

Configure ssh

Now we need to modify the ssh configuration on file /etc/ssh/sshd_config replacing the following line:
Subsystem sftp /usr/lib/openssh/sftp-server

By this one:

Subsystem sftp internal-sftp

internal-sftp is much newer than sftp-server, The sftp-server is still the default option for backward compatibility. Nevertheless internal-sftp supports all sftp-server features and also limiting access to users and groups. Furthermore it has better performance, because it doesn’t need to run new processes for SFTP.

Setup user’s default root path

We need to set user’s default path to the root directory: “/
sudo usermod -d / Billy
This is necessary because the path that will be defined on “ChrootDirectory” will be relative to this root path.

Setup the SFTP folder

The “ChrootDirectory” folder must be owned by root:
sudo chown root.root /PATH/TO/THE/FOLDER/WITH/SFTP/ACCESS

Create limited account for a single user

Go to the end of the file sshd_config and add these lines:

Match User Billy
	ChrootDirectory /PATH/TO/THE/FOLDER/WITH/SFTP/ACCESS
	PermitTunnel no
	X11Forwarding no
	AllowTcpForwarding no
	ForceCommand internal-sftp

Be careful with the command ForceCommand internal-sftp it will force the user to connect only by sftp, the ssh access will be disabled!

Note.- You can also add PasswordAuthentication yes to allow password authentication, then you should add a password to your user sudo passwd Billy. If this option is disabled you will need to use RSA keys instead.

Create limited account for a group

Create the group:
sudo addgroup sftplimited

Add user to group:
sudo usermod -g sftplimited Billy

Now go to the end of the file sshd_config and add these lines:

Match group sftplimited
	ChrootDirectory /PATH/TO/THE/FOLDER/WITH/SFTP/ACCESS
	PermitTunnel no
	X11Forwarding no
	AllowTcpForwarding no
	ForceCommand internal-sftp

Be careful with the command ForceCommand internal-sftp it will force this group to connect only by sftp, the ssh access will be disabled!

Note.- You can also add PasswordAuthentication yes to allow password authentication, then you should add a password to your user sudo passwd Billy. If this option is disabled you will need to use RSA keys instead.

Try it out

Restart ssh service to load all changes:
sudo service ssh restart

Try the SFTP connection:
sftp Billy@YOUR.SERVER.COM

Problems?

If it doesn’t work for some reason, try to run ssh in debug mode (you will see errors on console):
/usr/sbin/sshd -ddd

Comments 3

  1. Thank you so much for this tutorial. I am trying to give my new Developer access to my WordPress Plugin directory using SFTP (hosted on Digital Ocean). I get up to the part where you “Setup the SFTP Folder” and get a bit lost since I don’t need to create a new directory but instead open up access to Plugins, which already exists. What would the steps be to open up access to an existing directory?

    Also, if after I create a new user, I want to create a new Group and add them to it, what is the script to do that? Would you recommend I create a Group or just focus on the user access if I don’t plan on having a lot of other SFTP users in the future.

    Thank you again!

    1. Following this guide locked me completely out of the SSH instance. I was a bit worried changing `Subsystem sftp internal-sftp`. Could be great with a warning for this!

      I wanted to add a new user to limited access, not lock out all accounts

  2. Hi
    I have problem when i try connect to appears

    Authentication log (see session log for details):
    Using username “test”.

    Authentication failed.

    I use winscp and other accounts work without this setting

Leave a Reply

Your email address will not be published. Required fields are marked *