Digital Ocean Ubuntu – Setting up a SFTP User with Limited Access
It should be simple: limit the SFTP access…
Today I had to setup a user that is only allowed to upload files via SFTP to certain directory. Easy task, huh? It should be, but because of the way Digital Ocean setup the Ubuntu server —16.04 in this case–, it took me a while until I could make it work.
- Connect to the server via SSH and…
- …let’s create the user
- Now we edit the SSH config file:
- If there is a line starting with “Subsystem” just place a # before it and insert the following at the end of the file:
Subsystem sftp internal-sftp Match Group filetransfer ChrootDirectory /home/johndoe X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
- CRTL X to save the file
- Restart the SSH service
service ssh restart
- Then let’s create the filetransfer group:
addgroup --system filetransfer
- Add johndoe to the filetransfer group:
usermod -G filetransfer johndoe
- Set the ownership and permission of the home dir:
chown root:root /home/johndoe chmod 755 /home/johndoe
- Lets create dir inside the home dir:
cd /home/johndoe mkdir files
- Finally we set the permission for the content of /home/johndoe
chown valassis:filetransfer *
Then you should be able to SFTP the site, right?
How so it doesn’t work???
No! It will not work (at least not while the Digital Ocean Ubuntu configure the server with the root dir not having a 755 permission. As a result it will throw up an error.
if you see the log (/var/log/auth.log) you will see the following:
fatal: bad ownership or modes for chroot directory component "/" You just chmod 755 / and bingo! -- it will work!
I hope it will help other people save their time when limiting the access a user can have via SFTP on Digital Ocean Ubuntu servers.