Creating SFTP Users
Creating SFTP Users

Steps

Create a Linux User

1
sudo useradd -d <path_to_dir_to_share> <sftpuser>
Copied!

Change password

1
sudo passwd <sftpuser>
Copied!

Add the following configuration to sshd config in /etc/ssh/sshd_config

1
Match User <ftpuser>
2
ChrootDirectory %h
3
AllowTCPForwarding no
4
X11Forwarding no
5
ForceCommand internal-sftp
Copied!
Make sure the Match blocks section is at the end of file, otherwise the ssh service will report this error and will not start.
Also you must have password enabled in your sshd_config. Check the following:
1
PasswordAuthentication yes
Copied!

Ensure correct permissions and ownership

The shared path must have root:root ownership and 0755 permission
1
chown root:root <path_to_dir_to_share> chmod 755 <path_to_dir_to_share>
Copied!

Restart ssh service

1
sudo service ssh restart
Copied!

(Optional) Adding user to a group

If the directory used for sftp is owned by another user you need to add your user to that group.
1
usermod -a -G <group> <ftpuser>
Copied!
For example, if sftp is used to point a web server root, you must add SFTP user to www-data group.

Troubleshooting

Cannot connect with SFTP

Ensure that the directory to which the sftp user needs access is owned by root:root and has 755 permission
Check the /var/log/auth.log for error messages
1
tail -f /var/log/auth.log
Copied!

Writing to directory root

It is expected that the sftp user is not able to write in the directory it points to. This fact is due to the ownership restrictions needed in order for sftp to work. Consider the following situation:
  • web server root is in /var/www/html
  • sftp user was created with its home in /var/www/html
In this case, the user cannot write /var/www/html, but it can write in all the subfolders. A way of dealing with this situation is to move the root of your application in /var/www/html/app. This way the sftp user can write to the application root directory.
Last modified 1yr ago