Article overview

Help article

SFTP-server manual Ubuntu 16 & 18

SFTP uses SSH to set up a secure connection between computers for sending files.

With an SFTP server, you can relatively easily upload files to your server. This is useful, for example, for a web server to place website updates on your VPS, or for uploading media to a Plex server.

In this article, we show you how to adjust the configuration of OpenSSH in Ubuntu 16 or 18 so that SFTP users have no further SSH access to your server and limit the SFTP access to a specific folder per user.

Do you prefer to use FTPS? Then take a look at our vsftpd article.


 

Step 1

Connect to your VPS via SSH or the VPS console in your control panel.


 

Step 2

All user accounts within Linux belong to one (or more) group(s). For security reasons, and to make it easier to manage SFTP accounts in bulk, create a group to which SFTP users are added:

groupadd sftp

You are free to adjust the group name as desired. Make sure that you then also adjust the group name in the following steps.


 

Step 3

Then, create a user with the command below, replacing your username with the actual sftp username and /sftp with the name of the root folder to which this user will upload his files (e.g. /sftp/username/files).

useradd -g sftp -d /sftp -s /sbin/nologin username
Explanation
  • useradd: adds a new user
    • -g sftp: adds the new user to the sftp group
    • -d /sftp: sets /sftp as the home directory of this user
    • -s /sbin/nologin: the user gets shell access /sbin/nologin, in other words: no login rights via ssh
    • username: the username of the new user
  •  passwd username: set a password for the new user

 

Step 4

Next, create a folder for the new user to which he / she can upload files.

mkdir -p /sftp/username/files
  • Change username to the username that you chose in step 3.
  • The addition -p stands for parent and ensures that the underlying sftp and username folders are also created.
  • You are free to change the directory to another location, for example:
    • If you host a website in /var/www/example.com/public_html, you would use /var/www/example.com/public_html here.
    • Suppose you want to add an SFTP folder in a home directory, then, you replace the folder name /sftp with /home/username/sftp for example. Please note that the user must exist in this example.
    • If you use a Plex server, for example with a Big Storage, then, you would use /mnt/bigstorage/plex-media/pictures (and / or videos / series) for example.

 

Step 5

Adjust the rights and ownership of the folders with the commands below.

This ensures that the sftp user ultimately only has rights to perform operations in the /sftp/username/files folder, and not in the underlying folders.

chmod 500 /sftp 
chmod 700 /sftp/username/files
chown root:sftp /sftp/username
chown username:sftp /sftp/username/files
Explanation
  • chmod 500 /sftp: Only give the owner of /sftp read and execute rights to the /sftp folder.
  • chmod 700 /sftp: Only give the owner of /sftp/username/files read, write and execute rights in the /sftp/username/files folder
  • chown root: sftp / sftp / username: Makes the user root and the sftp group the owner of the /sftp/username folder
  • chown username:sftp/sftp/username/files: Makes the user username and the ftpusers group (the group to which username belongs) owner of /sftp/username/files

 

Step 6

Finally, a small adjustment is needed to the configuration of your SSH server. First, open the configuration, for example:

nano /etc/ssh/sshd_config

 

Step 7

Scroll all the way down and add the lines below.

AllowGroups ssh sftp
Match Group sftp
ChrootDirectory /sftp/%u
ForceCommand internal-sftp

Users of the sftpusers group are automatically placed in the /sftp/u% folder, where u% (automatically) is the name of the user who logs in.

Save the changes and close nano with ctrl + x > y > enter.


 

Step 8

Reload your SSH configuration afterwards with:

systemctl reload sshd

 

You can now connect to your server via SFTP! Make sure you select SFTP as the protocol in your SFTP software instead of FTP / FTPS. You also use your SSH port instead of your FTP port. If you are not sure which port this is, you can find it on your server with the command:

cat /etc/ssh/sshd_config | grep Port

Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘ContactUs’ button at the bottom of this page.

If you want to discuss this article with other users, please leave a message under 'Comments'.

Has this article been helpful?

Create an account or log in to leave a rating.

Comments

Create an account or log in to be able to leave a comment.