Set up SFTP Users in Linux-based Systems
This article shows you how to create secured SSH File Transfer Protocol (SFTP) users that are restricted or jailed to their home directories.
WARNING: Do not try to jail the root user. Only jail additional users so that you don't prevent the root user from performing operations correctly.
Before you begin, review the following best practices:
-
The home directory of the SFTP user must be owned by
root:root
. Other directories
can (and should) be owned (and writable) by the user. -
It's important to ensure the chroot user has write access to the specified DocumentRoot.
-
It's important to log in and test that the SFTP user is working correctly.
-
It's important to ensure that the SFTP user added is added to the SFTP group.
-
These instructions are for adding a single domain (SFTP user), but you could potentially
use them to manage multiple domains.
Important: The steps in this article do not work with RHEL® 7 or CentOS® 7. As with any proper chroot operation, this configuration does not provide write access to the chroot directory. Only subdirectories of the chroot jail are writable. This is due to the way that root permissions are interpreted at the higher-level directories in which the SFTP user is contained.
Use the following steps to create secured SFTP users that are jailed to their home directories:
-
Add the SFTP group that you want to use for SFTP access by running the following command:
groupadd sftponly
-
Add the SFTP user by running the following command, replacing
myuser
with the username:useradd -d /var/www/vhosts/domain.com -s /bin/false -G sftponly myuser
-
Create a password for the user by running the following command, replacing
myuser
with the username:passwd myuser
-
Open the
sshd_config
file that holds the SSH and SFTP configuration by running the following command:nano /etc/ssh/sshd_config
-
Comment out the following line by adding a hash symbol (#) at the beginning, as shown in the following example:
#Subsystem sftp /usr/lib/openssh/sftp-server
-
Add the following line directly below the line that you just commented out:
Subsystem sftp internal-sftp
-
Add the following code to the bottom of the file:
Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp -
Run the
sshd
command to test the changes, then restart the service.Important: If this step is performed incorrectly, it might break your SSHD configuration.
sshd -t service sshd restart
Ensure that the file permissions on the file system are correct
Next, you need to verify that the file permissions on the file system are correct so that the SFTP jail works correctly.
-
Verify that the
SFTPROOT
directory (the home directory that you set when you added the SSH user) has the rightuser:root group:root
permissions by running the following command:chown root:root /var/www/vhosts/mywebsite.com/
-
To verify that the SFTP login works, connect to SFTP by running the following command, replacing
myuser
with the user that you have chosen, as shown in the following example:sftp myuser@localhost
myuser@localhost's password:
Connected to localhost. -
Test the directory listing by running the following command:
sftp> ls -al
The output should be similar to the following example:
drwxr-xr-x 3 0 0 4096 Sep 28 08:09 . drwxr-xr-x 3 0 0 4096 Sep 28 08:09 .. drwxr-xr-x 2 5001 33 4096 Sep 28 08:52 html -rw-r--r-- 1 0 0 0 Sep 28 08:09 test.php
Note: Use the
cd
command to go to the HTML directory (which is located at/var/www/vhosts/mywebsite.com/html
because the website 'documentroot' is one level below the SSH SFTP user'sroot
directory. You should use this setup
because yourwww-data
users (the web server's users) have rootuser:group
permissions on its files. -
Test the ability to upload files by running the following commands:
sftp> cd html
sftp> put test.php
Uploading test.php to /html/test.php
test.php
100% 12K 20.0KB/s 00:00 -
Test the ability to download files by running the following command:
sftp> get test.php
Fetching /test.php to test.php -
Display the present working directory by running the following command:
sftp> pwd Remote working directory: /html
SFTP only sees the files in the
/var/www/vhosts/mywebsite.com/
directory, and considers
this directory the highest-level, root ('/') directory. -
Use the following steps to connect to SFTP and set up your SFTP client:
- Install Cyberduck®.
- Open the Cyberduck application.
- At the top of the window, click the icon for Open Connection.
- In the drop-down menu, select SFTP (SSH File Transfer Protocol).
- In the Server field, enter the Internet Protocol (IP) address for the server.
- Enter the username and password that you use to connect to SFTP.
- Click Connect.
Important: Always test your website after you change file permissions.
Updated about 1 year ago