Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Basic tutorial for creating a SFTP-only user on Ubuntu 9.04 and greater

Adding SFTP-only user to Ubuntu Server

To add a SFTP-only user, you'll need to make sure your SSH config settings are correct, add a new user/group and set permissions for your new user. For step-by-step directions, see below. Omit sudo if you're logged in as root.

Directions

  1. Edit /etc/ssh/sshd_config and make sure to add the following at the end of the file:

     Match group filetransfer
     	ChrootDirectory %h
         X11Forwarding no
         AllowTcpForwarding no
     	ForceCommand internal-sftp
    
  2. Restart OpenSSH:

     sudo /etc/init.d/ssh restart
    
  3. Add new group for SFTP-only users:

     sudo addgroup filetransfer
    
  4. Add new user (make sure to switch out username in the following steps to your specified username):

     sudo adduser username
    
  5. Add user to new group and set permissions:

     sudo usermod -G filetransfer username
     sudo chown root:root /home/username
     sudo chmod 755 /home/username
    
  6. Create directories for user and set final permissions:

     cd /home/username
     sudo mkdir folder_1 folder_2
     sudo chown username:username *
    
  7. Setup a symbolic link to make the user's folder available to the public (/var/www/... path will be dependent on your environment):

     sudo ln -s /home/username/USER_DIRECTORY /var/www/devpress.cbai.us/wordpress/PUBLIC_DIRECTORY/
    

    If you need to view the public directory index, you may have to add a .htaccess file in your PUBLIC_DIRECTORY with: Options +Indexes

  8. Use Cyberduck or another SFTP client to connect. Go have a beer.

Thanks for the tutorial, found it helpful. :)

I skipped step 7 (don't want them public). Can I still go for the beer?

More stress on the importance of step 5 though, tried to skip that too first (why should the user not own their home? or write there?) but it just wouldn't work without it.

Hi there, I originally used this same guide and added two user accounts that worked perfectly well until fairly recently. One of my accounts I can login fine into FileZilla, but the other one or any subsequent accounts I create, will not log in. I get 'Authentication failed' and Critical error: could not connect to server.

Please advise

did not understand that step 7,

I only want to give access a developer of a plugin called me admin access to WordPress and access to FTP it to fix a plugin problem, however I do not trust obviously, so only want to create a user with limited permissions and just after he solve the problem, I delete the user ftp.You understood?

I understand all the steps, but when I tried to connect with my sftp client (FileZilla), I obtain authentication error message. I dont know why, I repeat all the steps many times.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment