There are many reasons why you want to achieve this kind of setup. But mostly is just because you don’t want the user messing inside your server, and the user only needs to access (download, upload) files in your server.
Of course, some of you will ask “Why not setup a FTP server Instead?”. Well, the answer is obvious, FTP is not a safe connection and it’s partly obsolete in my own opinion.
Let’s get started.
1) Install OpenSSH Server.
Let’s install OpenSSH Server first.
CentOS / RHEL Distro
sudo yum install openssh-server
Ubuntu / Debian
sudo apt-get install openssh-server
2) Create User, Group and User Directory
In this example we are going to use sftpuser as user, sftp-only as group and /var/www as the Base Directory.
Creating Group
sudo groupadd sftp-only
Now execute this next command to get the Group ID for later.
getent group |grep sftp-only
The output should look like this.
sftp-only:x:500:
Where 500 is our Groud ID. Take note of that ID because we are going to use that later.
Now let’s create an empty skeleton directory which we will use during the creation of our user so no .bashrc etc is copied by default.
sudo mkdir /etc/skel2
Let’s create our user.
sudo useradd --base-dir /var/www --gid 500 --skel /etc/skel2 --create-home --shell /sbin/nologin sftpuser
Setup user password:
sudo passwd sftpuser
Then set user desired password.
(note that we use the Group ID as the value of –gid parameter)
Now let’s create the directories.
sudo mkdir -p /var/www/sftpuser/home/sftpuser sudo chown root:sftp-only /var/www/sftpuser sudo chmod 750 /var/www/testuser sudo chown root:root /var/www/sftpuser/home sudo chmod 755 /var/www/sftpuser/home sudo chown sftpuser:sftp-only /var/www/sftpuser/home/sftpuser sudo chmod 770 /var/www/sftpuser/home/sftpuser
Note that the user directory (/var/www/testuser
) should be owned by user root and then group of your sftp group which is sftp-only
. Then the exact permission should be 750 or it will not work.
3) Configure your sshd_config
Now, edit our sshd_config which is located at /etc/sshd/sshd_config using your favorite editor. (In this example, I will be using vi, but you can use any text editor you want.)
sudo vi /etc/sshd/sshd_config
Since we are going to use another subsystem for our sftp setup, we have to comment this following line.
#Subsystem sftp /usr/libexec/openssh/sftp-server
After that add the following codes on the bottom of sshd_config
Subsystem sftp internal-sftp Match Group sftp-only ChrootDirectory /var/www/%u AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp
4) Restart SSHD
Now that all is ready, restart sshd.
sudo service sshd restart
Debugging
If you have problem restarting sshd, open sshd_config again and comment out this line.
#UsePAM yes
Then restart again.
If you are still experiencing problems, please comment below and let’s debug it together. 🙂