Allow SFTP access to a server

This is a guide on how to allow SFTP access to a server.

1) Preface: create sftp-users Group

groupadd sftp-users

2) Update sshd config

Open the file /etc/ssh/sshd_config and comment the following line (if it exists):

Subsystem sftp /some/path/to/sftp-server

Add the following lines at the end of the file:

Subsystem sftp internal-sftp
Match Group sftp-users
        ChrootDirectory %h
        ForceCommand internal-sftp
        X11Forwarding no
        AllowTCPForwarding no

Here you need to use the group name, we added above.

3) Restart ssh service

service ssh restart

Now we are able to give SFTP access to server users.

The next part of the guide explains how to create a new user and use it for SFTP.

Create user

Now we create the user who should get access to the server:

adduser example_org --disabled-login --shell /bin/false

# also add the user to the group
usermod -a -G sftp-users example_org

Now the user has SFTP access. However the user can only access their home directory, as they are chrooted. Normally we want the user to give access to the web server directory, and we do it like this:

Mount web directory to user home

cd /home/some_user
mkdir www
mount --bind /var/www/example.org/ www

Assign user home to root

This is a requirement for chroot to properly work:

chown root:root /home/some_user

Mount the directory permanently

For now the directory is mounted, but that mount will disappear as soon as we restart the server. So we need to add an entry to /etc/fstab:

/var/www/example.org/ /home/some_user/www none bind 0 0

Now the user has proper SFTP access (no FTP, and no SSH login).

Photo credit: Saad Chaudhry