SFTP uses SSH to set up a secure connection between computers for sending files.
With an SFTP server, you can relatively easily upload files to your server. This is useful, for example, for a web server to place website updates on your VPS, or for uploading media to a Plex server.
In this article, we show you how to adjust the configuration of OpenSSH in Debian 9 so that SFTP users have no further SSH access to your server and limit the SFTP access to a specific folder per user.
All user accounts within Linux belong to one (or more) group(s). For security reasons, and to make it easier to manage SFTP accounts in bulk, create a group to which SFTP users are added:
You are free to adjust the group name as desired. Make sure that you then also adjust the group name in the following steps.
Then, create a user with the command below, replacing your username with the actual sftp username and /sftp with the name of the root folder to which this user will upload his files (e.g. /sftp/username/files).
useradd -g sftp -d /sftp -s /sbin/nologin username
- useradd: adds a new user
- -g sftp: adds the new user to the sftp group
- -d /sftp: sets /sftp as the home directory of this user
- -s /sbin/nologin: the user gets shell access /sbin/nologin, in other words: no login rights via ssh
- username: the username of the new user
- passwd username: set a password for the new user
- useradd: adds a new user
Next, create a folder for the new user to which he / she can upload files.
mkdir -p /sftp/username/files
- Change username to the username that you chose in step 3.
- The addition -p stands for parent and ensures that the underlying sftp and username folders are also created.
- You are free to change the directory to another location, for example:
- If you host a website in /var/www/example.com/public_html, you would use /var/www/example.com/public_html here.
- Suppose you want to add an SFTP folder in a home directory, then, you replace the folder name /sftp with /home/username/sftp for example. Please note that the user must exist in this example.
- If you use a Plex server, for example with a Big Storage, then, you would use /mnt/bigstorage/plex-media/pictures (and / or videos / series) for example.
Adjust the rights and ownership of the folders with the commands below.
This ensures that the sftp user ultimately only has rights to perform operations in the /sftp/username/files folder, and not in the underlying folders.
chmod 500 /s
ftpchmod 700 /sftp/username/files chown root:sftp /sftp/username chown username:sftp /sftp/username/files
- chmod 500 /sftp: Only give the owner of /sftp read and execute rights to the /sftp folder.
- chmod 700 /sftp: Only give the owner of /sftp/username/files read, write and execute rights in the /sftp/username/files folder
- chown root: sftp / sftp / username: Makes the user root and the sftp group the owner of the /sftp/username folder
- chown username:sftp/sftp/username/files: Makes the user username and the ftpusers group (the group to which username belongs) owner of /sftp/username/files
Finally, a small adjustment is needed to the configuration of your SSH server. First, open the configuration, for example:
Scroll all the way down and add the lines below.
AllowGroups ssh sftp Match Group sftp ChrootDirectory /sftp/%u ForceCommand internal-sftp
Users of the sftpusers group are automatically placed in the /sftp/u% folder, where u% (automatically) is the name of the user who logs in.
Save the changes and close nano with ctrl + x > y > enter.
Reload your SSH configuration afterwards with:
systemctl reload sshd
You can now connect to your server via SFTP! Make sure you select SFTP as the protocol in your SFTP software instead of FTP / FTPS. You also use your SSH port instead of your FTP port. If you are not sure which port this is, you can find it on your server with the command:
cat /etc/ssh/sshd_config | grep Port
Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘ContactUs’ button at the bottom of this page.
If you want to discuss this article with other users, please leave a message under 'Comments'.