Notes

SFTP Users for Website directory

Edit on GitHub


System Administration
3 minutes

tl;dr

  • The ChrootDirectory must be owned by root. You can enable access to dirs inside the ChrootDirectory owned by different users
  • The ChrootDirectory needs 755 permissions
  • Add everything to the END OF THE FILE. Or else it won’t work
  • Web directories /var/www need to be owned by www-data

What we’ll do

  • Create a Group for SFTP access
  • Add our users to that SFTP Group

Here’s what each of those directives do:

  • Match User tells the SSH server to apply the following commands only to the user specified.
  • ForceCommand internal-sftp forces the SSH server to run the SFTP server upon login, disallowing shell access.
  • PasswordAuthentication yes allows logging in with password. (Just in case you’re big on security and have it disabled because you use SSH keys..)
  • ChrootDirectory /var/sftp/ ensures that the user will not be allowed access to anything beyond the /var/sftp directory. You can learn more about chroot in this chroot tutorial.
  • AllowAgentForwarding no, AllowTcpForwarding no. and X11Forwarding no disables port forwarding, tunnelling and X11 forwarding for this user.
 1GROUP='sftpgrp'
 2USER='sftpuser'
 3USER_PASS='sftppass'
 4CHROOT='/var/www'
 5
 6# install OpenSSH if not installed
 7sudo apt install openssh-server
 8
 9# create a group for SFTP access
10sudo groupadd ${GROUP}
11
12# Comment out Subsytem line from /etc/ssh/sshd_config
13#Subsystem sftp /usr/lib/openssh/sftp-server
14sed -i 's/Subsystem sftp \/usr\/lib\/openssh\/sftp-server/#Subsystem sftp \/usr\/lib\/openssh\/sftp-server/' /etc/ssh/sshd_config
15
16# add SFTP config for the group to SSH configuration file
17echo -e "
18
19# SFTP
20Subsystem sftp internal-sftp
21
22Match Group ${GROUP}
23	ChrootDirectory ${CHROOT} # limit access to this dir and it's subdirs (jailed access)
24	ForceCommand internal-sftp # force run SFTP upon login
25	PasswordAuthentication yes # allow logging in with passowrd
26	PermitTunnel no # disable tun device (tunnel software network interface) forwarding
27	X11Forwarding no # disable GUI over VNC
28	AllowTcpForwarding no # disable tunnelling
29	AllowAgentForwarding no # disable port (ssh-agent) forwarding
30" >> /etc/ssh/sshd_config
31
32# create and add user to the SFTP Group
33sudo useradd ${USER} -p ${USER_PASS} -g ${GROUP}
34# add the user to www-data so it can rwx /var/www
35sudo usermod -aG www-data ${USER}
36
37# PERMISSIONS
38# chroot dir has to be owned by root
39sudo chown root:root ${CHROOT}
40
41# chroot directory also needs 755 in order to avoid: Server unexpectedly closed network connection
42sudo chmod 755 ${CHROOT}
43
44# web directories have to be owned by www-data (assuming you're creating sftp users for websites)
45# Change group ownership for `/var/www` to `www-data`
46sudo chgrp -R www-data /var/www/*
47
48# Give write permission to the group
49sudo chmod -R g+w /var/www/*
50
51# chmod g+s forces new files and dirs to pick up the group owner (www-data), 
52# making sure that permissions change propagates 
53# (`-s` means set user or group ID on execution)
54find /var/www -type d -print0 | sudo xargs -0 chmod g+s 
55
56# Restart SSH
57service ssh restart

Troubleshooting

Permissions error:

1# Change group ownership for `/var/www` to `www-data`
2sudo chgrp -R www-data /var/www/*
3
4# Give write permission to the group
5sudo chmod -R g+w /var/www/*

Connection error:

Error:        	Server unexpectedly closed network connection
Error:        	Could not connect to server

This could mean any of the following

  • The ChrootDirectory is not owned by root
  • The ChrootDirectory permissions are not 755
1sudo chown root:root /var/www/
2sudo chmod 755 /var/www/

Authentication error:

The password is probably wrong. Reset it with this command

1passwd sftpuser SECUREPASS