Creating SFTP Users

Creating SFTP Users


Create a Linux User

sudo useradd -d <path_to_dir_to_share> <sftpuser>

Change password

sudo passwd <sftpuser>

Add the following configuration to sshd config in /etc/ssh/sshd_config

Match User <ftpuser>
ChrootDirectory %h
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp

Make sure the Match blocks section is at the end of file, otherwise the ssh service will report this error and will not start.

Also you must have password enabled in your sshd_config. Check the following:

PasswordAuthentication yes

Ensure correct permissions and ownership

The shared path must have root:root ownership and 0755 permission

chown root:root <path_to_dir_to_share> chmod 755 <path_to_dir_to_share>

Restart ssh service

sudo service ssh restart

(Optional) Adding user to a group

If the directory used for sftp is owned by another user you need to add your user to that group.

usermod -a -G <group> <ftpuser>

For example, if sftp is used to point a web server root, you must add SFTP user to www-data group.


Cannot connect with SFTP

Ensure that the directory to which the sftp user needs access is owned by root:root and has 755 permission

Check the /var/log/auth.log for error messages

tail -f /var/log/auth.log


Writing to directory root

It is expected that the sftp user is not able to write in the directory it points to. This fact is due to the ownership restrictions needed in order for sftp to work. Consider the following situation:

  • web server root is in /var/www/html

  • sftp user was created with its home in /var/www/html

In this case, the user cannot write /var/www/html, but it can write in all the subfolders. A way of dealing with this situation is to move the root of your application in /var/www/html/app. This way the sftp user can write to the application root directory.