If you find any error, please send me a quick heads-up.
This is a guide on how to allow SFTP access to a server.
1) Preface: create sftp-users Group
groupadd sftp-users
2) Update sshd config
Open the file /etc/ssh/sshd_config and comment the following line (if it exists):
Subsystem sftp /some/path/to/sftp-server
Add the following lines at the end of the file:
Subsystem sftp internal-sftp
Match Group sftp-users
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTCPForwarding no
Here you need to use the group name, we added above.
3) Restart ssh service
service ssh restart
Now we are able to give SFTP access to server users.
The next part of the guide explains how to create a new user and use it for SFTP.
Create user
Now we create the user who should get access to the server:
adduser example_org --disabled-login --shell /bin/false
# also add the user to the group
usermod -a -G sftp-users example_org
Now the user has SFTP access. However, the user can only access their home directory, as they are chrooted. Normally we want the user to give access to the web server directory, and we do it like this:
Mount web directory to user home
cd /home/some_user
mkdir www
mount --bind /var/www/example.org/ www
Assign user home to root
This is a requirement for chroot to properly work:
chown root:root /home/some_user
Mount the directory permanently
For now the directory is mounted, but that mount will disappear as soon as we restart the server. So we need to add an entry to /etc/fstab:
/var/www/example.org/ /home/some_user/www none bind 0 0
Now the user has proper SFTP access (no FTP, and no SSH login).