tl;dr
ChrootDirectory must be owned by root. You can enable access to dirs inside the ChrootDirectory owned by different usersChrootDirectory needs 755 permissions/var/www need to be owned by www-dataHere’s what each of those directives do:
Match User tells the SSH server to apply the following commands only to the user specified.ForceCommand internal-sftp forces the SSH server to run the SFTP server upon login, disallowing shell access.PasswordAuthentication yes allows logging in with password. (Just in case you’re big on security and have it disabled because you use SSH keys..)ChrootDirectory /var/sftp/ ensures that the user will not be allowed access to anything beyond the /var/sftp directory. You can learn more about chroot in this chroot tutorial.AllowAgentForwarding no, AllowTcpForwarding no. and X11Forwarding no disables port forwarding, tunnelling and X11 forwarding for this user. 1GROUP='sftpgrp'
2USER='sftpuser'
3USER_PASS='sftppass'
4CHROOT='/var/www'
5
6# install OpenSSH if not installed
7sudo apt install openssh-server
8
9# create a group for SFTP access
10sudo groupadd ${GROUP}
11
12# Comment out Subsytem line from /etc/ssh/sshd_config
13#Subsystem sftp /usr/lib/openssh/sftp-server
14sed -i 's/Subsystem sftp \/usr\/lib\/openssh\/sftp-server/#Subsystem sftp \/usr\/lib\/openssh\/sftp-server/' /etc/ssh/sshd_config
15
16# add SFTP config for the group to SSH configuration file
17echo -e "
18
19# SFTP
20Subsystem sftp internal-sftp
21
22Match Group ${GROUP}
23 ChrootDirectory ${CHROOT} # limit access to this dir and it's subdirs (jailed access)
24 ForceCommand internal-sftp # force run SFTP upon login
25 PasswordAuthentication yes # allow logging in with passowrd
26 PermitTunnel no # disable tun device (tunnel software network interface) forwarding
27 X11Forwarding no # disable GUI over VNC
28 AllowTcpForwarding no # disable tunnelling
29 AllowAgentForwarding no # disable port (ssh-agent) forwarding
30" >> /etc/ssh/sshd_config
31
32# create and add user to the SFTP Group
33sudo useradd ${USER} -p ${USER_PASS} -g ${GROUP}
34# add the user to www-data so it can rwx /var/www
35sudo usermod -aG www-data ${USER}
36
37# PERMISSIONS
38# chroot dir has to be owned by root
39sudo chown root:root ${CHROOT}
40
41# chroot directory also needs 755 in order to avoid: Server unexpectedly closed network connection
42sudo chmod 755 ${CHROOT}
43
44# web directories have to be owned by www-data (assuming you're creating sftp users for websites)
45# Change group ownership for `/var/www` to `www-data`
46sudo chgrp -R www-data /var/www/*
47
48# Give write permission to the group
49sudo chmod -R g+w /var/www/*
50
51# chmod g+s forces new files and dirs to pick up the group owner (www-data),
52# making sure that permissions change propagates
53# (`-s` means set user or group ID on execution)
54find /var/www -type d -print0 | sudo xargs -0 chmod g+s
55
56# Restart SSH
57service ssh restart
Permissions error:
1# Change group ownership for `/var/www` to `www-data`
2sudo chgrp -R www-data /var/www/*
3
4# Give write permission to the group
5sudo chmod -R g+w /var/www/*
Connection error:
Error: Server unexpectedly closed network connection
Error: Could not connect to server
This could mean any of the following
ChrootDirectory is not owned by rootChrootDirectory permissions are not 7551sudo chown root:root /var/www/
2sudo chmod 755 /var/www/
Authentication error:
The password is probably wrong. Reset it with this command
1passwd sftpuser SECUREPASS