Notes

Configure SFTP

Edit on GitHub


System Administration
3 minutes
  • The ChrootDirectory must be owned by root. You can enable access to dirs inside the ChrootDirectory owned by differet users
  • The ChrootDirectory needs 755 permissions
  • Add everything to the END OF THE FILE. Or else it won’t work
  • Web directories /var/www need to be owned by www-data

Setup link

Step 1 : Install OpenSSH package if not installed

1sudo apt-get install openssh-server

Step 2 : Create separate group for SFTP users.

1sudo addgroup ftpaccess

Step 3 : Edit /etc/ssh/sshd_config file and make changes as below. Find and comment below line.

1#Subsystem sftp /usr/lib/openssh/sftp-server

and add these lines to the end of the file.

1Subsystem sftp internal-sftp
2
3Match Group ftpaccess
4    ChrootDirectory /var/www
5    AllowTCPForwarding no
6    X11Forwarding no
7    ForceCommand internal-sftp

Step 4 : Restart sshd service.

1sudo service ssh restart

Step 5 : Add user with ftpaccess group and create password.

1sudo adduser paul --ingroup ftpaccess --shell /usr/sbin/nologin

OR

1sudo useradd -m paul -g ftpaccess -s /usr/sbin/nologin

Step 6 : Modify home directory permission.

1sudo chown root:root /home/paul

Step 7 : Create a directory inside home for upload and modify permission with group.

1sudo mkdir /home/paul/www
2sudo chown paul:ftpaccess /home/paul/www

Chroot Directory

ChrootDirectory is an sshd_config option. This can be used to “jail” users into a limited view of the filesystem, such as their home directory, rather than letting them see the full filesystem.

Restricted Access link

To set up a restricted sftp server one should use the ForceCommand and ChrootDirectory directives in sshd_config. Presumably most people will not want to restrict every user, so they should also use the Match directive to select a user or group to apply the restrictions to. For example:

User

1Match user jimbo
2    ForceCommand internal-sftp
3    ChrootDirectory /chroot

This will cause the user ‘jimbo’ to be chrooted to the “/chroot” directory at login. The user will not be able to login interactively, or run arbitrary commands - the login will only be useful for sftp transfers. Note that the user’s home directory may exist under the “/chroot” directory above (e.g. “/chroot/home/djm”) and sshd will try to chdir to it before starting to serve files, but it doesn’t matter if it does not exist.

1Subsystem sftp internal-sftp
2
3Match User paul
4    ChrootDirectory /home/paul
5    ForceCommand internal-sftp
6    AllowTCPForwarding no
7    X11Forwarding no

You can also match a certain group, like Match group webmaster.

If you do login via SSH to paul’s sftp account though, it’ll give an error that no such file or dir exists and

Group

1Subsystem sftp internal-sftp
2
3Match Group sftp-only
4        AllowTCPForwarding no
5        X11Forwarding no
6        ForceCommand internal-sftp

Ownership link

1sudo chown root /home/paul
2sudo chmod go-w /home/paul
3sudo mkdir /home/paul/writeable
4sudo chown paul:sftponly /home/paul/writeable
5sudo chmod ug+rwX /home/paul/writeable

Troubleshooting

Permission denied

add user “demo” to group “www-data” (below replace demo with your username)

1sudo usermod -a -G www-data demo

set permissions for user group www-data

1sudo chgrp -R www-data /var/www/html

followed by

1sudo chmod -R g+w /var/www/html

Now you can modify files as “demo” via SFTP and your wordpress installation can modify files without requesting credentials

Server unexpectedly closed network connection

  • chmod 755 the Chroot directory.

OpenSSH server may fail to start shell when chroot is configured, but not possible (e.g. due to group writeable permissions to chroot directory) Some environments require specific permissions (e.g. 755) to files like .profile or .bashrc

Connection refused

  • If you are getting connection refused error at end then make sure that Subsystem sftp internal-sftp is placed after UsePAM yes. If not then update and restart SSH