Skip to content

Instantly share code, notes, and snippets.

@jbenet
Created October 25, 2012 15:29
Show Gist options
  • Save jbenet/3953363 to your computer and use it in GitHub Desktop.
Save jbenet/3953363 to your computer and use it in GitHub Desktop.

sftp user

So you want to configure an sftp only user?

Setup a group for sftp only users

groupadd sftponly

Make chroot jail directory

For security reasons, one ought to use chroot jailing, which confines a user to the specified directory and its tree, but nothing else.

NOTE: For the chroot jail to work properly, users' home directories (and all directories in the path) must be owned by root, and must not be writable by groups (g-w).

Replace username below with your chosen username. Replace public below with any directory you want to use (e.g. dropbox, incoming).

# make a directory for all sftp users
sudo mkdir /sftp

# make the user's home directory
# note that the user will not be able to write to /sftp/username
sudo mkdir /sftp/username

# make the user's public directory
# this will be writable.
sudo mkdir /sftp/username/public

# set the ownership of the user's public directory
sudo chown username:sftponly /sftp/username/public

Edit sshd_config

Edit /etc/ssh/sshd_config with your favorite editor.

Add the following to the end of the file:

Match Group sftponly
        ChrootDirectory /sftp/%u
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

And restart the ssh server. If you're using upstart:

sudo restart ssh

Add the sftp user

Replace username below with your chosen username. Replace public below if you did above.

# add the user
# -g sftponly: sets the group
# -d /username: sets the user's home directory
# -s /usr/sbin/nologin: no shell. (confirm path with `which nologin`)
sudo useradd -g sftponly -d /public -s /usr/sbin/nologin username

# change the user's password (use a long random hash)
sudo passwd username

Et Voila!

ssh connections should not work:

% ssh username@localhost
username@localhost's password:
This service allows sftp connections only.
Connection to localhost closed.
%

sftp connections should work:

% sftp username@localhost
username@localhost's password:
Connected to localhost.
sftp>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment