ChrootDirectory must be owned by root. You can enable access to dirs inside the ChrootDirectory owned by differet usersChrootDirectory needs 755 permissions/var/www need to be owned by www-dataStep 1 : Install OpenSSH package if not installed
1sudo apt-get install openssh-server
Step 2 : Create separate group for SFTP users.
1sudo addgroup ftpaccess
Step 3 : Edit /etc/ssh/sshd_config file and make changes as below. Find and comment below line.
1#Subsystem sftp /usr/lib/openssh/sftp-server
and add these lines to the end of the file.
1Subsystem sftp internal-sftp
2
3Match Group ftpaccess
4 ChrootDirectory /var/www
5 AllowTCPForwarding no
6 X11Forwarding no
7 ForceCommand internal-sftp
Step 4 : Restart sshd service.
1sudo service ssh restart
Step 5 : Add user with ftpaccess group and create password.
1sudo adduser paul --ingroup ftpaccess --shell /usr/sbin/nologin
OR
1sudo useradd -m paul -g ftpaccess -s /usr/sbin/nologin
Step 6 : Modify home directory permission.
1sudo chown root:root /home/paul
Step 7 : Create a directory inside home for upload and modify permission with group.
1sudo mkdir /home/paul/www
2sudo chown paul:ftpaccess /home/paul/www
ChrootDirectory is an sshd_config option. This can be used to “jail” users into a limited view of the filesystem, such as their home directory, rather than letting them see the full filesystem.
To set up a restricted sftp server one should use the ForceCommand and ChrootDirectory directives in sshd_config. Presumably most people will not want to restrict every user, so they should also use the Match directive to select a user or group to apply the restrictions to. For example:
1Match user jimbo
2 ForceCommand internal-sftp
3 ChrootDirectory /chroot
This will cause the user ‘jimbo’ to be chrooted to the “/chroot” directory at login. The user will not be able to login interactively, or run arbitrary commands - the login will only be useful for sftp transfers. Note that the user’s home directory may exist under the “/chroot” directory above (e.g. “/chroot/home/djm”) and sshd will try to chdir to it before starting to serve files, but it doesn’t matter if it does not exist.
1Subsystem sftp internal-sftp
2
3Match User paul
4 ChrootDirectory /home/paul
5 ForceCommand internal-sftp
6 AllowTCPForwarding no
7 X11Forwarding no
You can also match a certain group, like Match group webmaster.
If you do login via SSH to paul’s sftp account though, it’ll give an error that no such file or dir exists and
1Subsystem sftp internal-sftp
2
3Match Group sftp-only
4 AllowTCPForwarding no
5 X11Forwarding no
6 ForceCommand internal-sftp
1sudo chown root /home/paul
2sudo chmod go-w /home/paul
3sudo mkdir /home/paul/writeable
4sudo chown paul:sftponly /home/paul/writeable
5sudo chmod ug+rwX /home/paul/writeable
add user “demo” to group “www-data” (below replace demo with your username)
1sudo usermod -a -G www-data demo
set permissions for user group www-data
1sudo chgrp -R www-data /var/www/html
followed by
1sudo chmod -R g+w /var/www/html
Now you can modify files as “demo” via SFTP and your wordpress installation can modify files without requesting credentials
chmod 755 the Chroot directory.OpenSSH server may fail to start shell when chroot is configured, but not possible (e.g. due to group writeable permissions to chroot directory) Some environments require specific permissions (e.g.
755) to files like.profileor.bashrc
Subsystem sftp internal-sftp is placed after UsePAM yes. If not then update and restart SSH