Create a new SFTP Users Group. Replace sftpusers with your desired group name.
$ sudo addgroup sftpusersCreate a new user account. Replace user with your desired user name.
$ sudo adduser userEnter the user’s full name, password to continue.
Then, add the user to the SFTP group.
$ sudo usermod -G sftpusers userRestrict the user from accessing files outside the home directory.
$ sudo chown root:root /home/userNow, create new subdirectories within the user home directory. These are used for file transfer.
$ sudo mkdir /home/user/uploads Grant the user ownership rights to the subdirectories.
$ sudo chown -R user:user /home/user/uploadsThen, allow read and write permissions to all files within the home directory.
$ sudo chmod -R 755 /home/user/ Configure SFTP
With the sftp group and user accounts created, enable SFTP in the main SSH configuration file.
Using an editor of your choice, open the file /etc/ssh/sshd_config.
$ sudo vim /etc/ssh/sshd_configAdd the following lines to the end of the file. Replace sftpusers with your actual sftp group.
Match Group sftpusers
ChrootDirectory %h
PasswordAuthentication yes
AllowTcpForwarding no
X11Forwarding no
ForceCommand internal-sftpSave and close the file.
Below are the functions for each of the above configuration lines:
- Match Group sftpusers: Match the user group
sftpusers. - ChrootDirectory %h: Restrict access to directories within the user’s home directory.
- PasswordAuthentication yes: Enable password authentication.
- AllowTcpForwarding no: Disable TCP forwarding.
- X11Forwarding no: Don’t permit Graphical displays.
- ForceCommand internal-sftp: Enable SFTP only with no shell access.
Also, confirm if SFTP is enabled (it is by default). The line below should be uncommented in /etc/ssh/sshd_config:
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-serverRestart the SSH server for changes to take effect.
$ sudo systemctl restart sshd
