Help! Step-by-step instructions for SFTP account setup needed

Posted July 25, 2015 42.7k views
Linux BasicsLinux Commands

I’ve read numerous Digital Ocean tutorials on SFTP setup as well as general internet tutorials on the same but I haven’t found anything that offers step-by-step setup instructions and I’m a noob!

I have root SSH access to our droplet and have multiple domains hosted at /var/www/

I’d like to create multiple SFTP accounts that offer access to specific domains and DO NOT offer SSH access.

Can anyone help?

Assume I know nothing because I’m just learning command line server administration. I’m used to cPanel!

Thanks heaps and heaps!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
10 answers

SFTP stands for SSH File Transfer Protocol so it must run using SSH in order for it to be SFTP.

Do you mean FTPS?
FTPS runs using a secure channel of FTP. It does not use SSH.

No, I really do mean SFTP!

  • Well then it’s impossible. If you gave someone SFTP access they would also get SSH access.

    You could however allow someone SFTP (+SSH) access but only allow them to read/write files within their domain directory.

Understood. Could you give me instructions for setting that up?


I am assuming that you want clients to be able to edit everything in /var/www/

Make sure that when you create a user, you make it the same name as the folder you want them to own. E.g. johnsmith owns /var/www/johnsmith/public_html

Firstly you would add a group for all the clients:

sudo groupadd clients

Then comment out this line in `/etc/ssh/sshd_config (with a preceding #)`:

Subsystem sftp /usr/lib/openssh/sftp-server

and replace with:

Subsystem sftp internal-sftp

Now you would create the folder which only 1 client can edit, for example:

$ sudo mkdir /var/www/johnsmith

Create a user and add them to the “clients” group:

$ sudo adduser sftpuser
$ sudo usermod -a -G clients johnsmith

Now change their home directory (we created /var/www/johnsmith):

$ usermod -m -d /var/www/johnsmith johnsmith

Due to some security issues in openssh you need to run these commands:

$ sudo chown root /var/www/johnsmith
$ sudo chmod go-w /var/www/johnsmith
$ sudo mkdir /var/www/johnsmith/public_html
$ sudo chown johnsmith:clients /var/www/johnsmith/public_html
$ sudo chmod ug+rwX /var/www/johnsmith/public_html

Finally open up /etc/ssh/sshd_config and add these lines:

Match Group clients
  ChrootDirectory /var/www/%u
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp

Now, restart your droplet.

Make sure you check multiple time whether this works or not and that people can access the stuff they are allowed to access!

Let me know if you have further questions.

Thanks heaps and heaps - I’m looking forward to trying this out tomorrow. I’ll report back!


I tried out these instructions but after restarting Linux sudo reboot I am no longer able to SSH to the droplet.

$ ssh root@***.***.***.***
ssh: connect to host ***.***.***.*** port 22: Connection refused


  • Looks like you’ll have to login to the console on the DigitalOcean control panel.

    Try going to /etc/ssh/sshd_config and uncomment Subsystem sftp /usr/lib/openssh/sftp-server

Actually I tried that (username root) and couldn’t get in that way either. It says “login incorrect”

Update, I was able to get in via the control panel as username root and commented out that line but I’m still unable to SSH from my console software

Update, I commented out the other additions that I made to the sshd_config and rebooted, now I can ssh as root

What have I done wrong?

  • Try removing these lines:

    X11Forwarding no
      AllowTcpForwarding no
      ForceCommand internal-sftp

    and see if it works but keep the chroot line

For me the difficult is the permissions when there are several users and domains in the same droplet… A good tutorial: