Digital Ocean Ubuntu – Setting up a SFTP User with Limited Access

It's about how development develops

Digital Ocean Ubuntu – Setting up a SFTP User with Limited Access


It should be simple: limit the SFTP access…

Today I had to setup a user that is only allowed to upload files via SFTP to certain directory. Easy task, huh? It should be, but because of the way Digital Ocean setup the Ubuntu server —16.04 in this case–, it took me a while until I could make it work.

Let’s see:

  1. Connect to the server via SSH and…
  2. …let’s create the user
    adduser johndoe
  3. Now we edit the SSH config file:
    nano /etc/ssh/sshd_config
  4. If there is a line starting with “Subsystem” just place a # before it and insert the following at the end of the file:
    Subsystem sftp internal-sftp
    Match Group filetransfer
    ChrootDirectory /home/johndoe
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
  5. CRTL X to save the file
  6. Restart the SSH service
    service ssh restart
  7. Then let’s create the filetransfer group:
    addgroup --system filetransfer
  8. Add johndoe to the filetransfer group:
    usermod -G filetransfer johndoe
  9. Set the ownership and permission of the home dir:
    chown root:root /home/johndoe
    chmod 755 /home/johndoe
  10. Lets create dir inside the home  dir:
    cd /home/johndoe
    mkdir files
  11. Finally we set the permission for the content of /home/johndoe
    chown valassis:filetransfer *

Then you should be able to SFTP the site, right?

How so it doesn’t work???

No! It will not work (at least not while the Digital Ocean Ubuntu configure the server with the root dir not having a 755 permission. As a result it will throw up an error.

if you see the log (/var/log/auth.log) you will see the following:

fatal: bad ownership or modes for chroot directory component "/"
You just chmod 755 / and bingo! -- it will work!

I hope it will help other people save their time when limiting the access a user can have via SFTP on Digital Ocean Ubuntu servers.

That’s it!

Leave a Reply

Your email address will not be published. Required fields are marked *