Question

Help! Step-by-step instructions for SFTP account setup needed

I’ve read numerous Digital Ocean tutorials on SFTP setup as well as general internet tutorials on the same but I haven’t found anything that offers step-by-step setup instructions and I’m a noob!

I have root SSH access to our droplet and have multiple domains hosted at /var/www/domain.com/public_html

I’d like to create multiple SFTP accounts that offer access to specific domains and DO NOT offer SSH access.

Can anyone help?

Assume I know nothing because I’m just learning command line server administration. I’m used to cPanel!

Thanks heaps and heaps!

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

No, I really do mean SFTP!

SFTP stands for SSH File Transfer Protocol so it must run using SSH in order for it to be SFTP.

Do you mean FTPS? FTPS runs using a secure channel of FTP. It does not use SSH.

For me the difficult is the permissions when there are several users and domains in the same droplet… A good tutorial: http://askubuntu.com/questions/134425/how-can-i-chroot-sftp-only-ssh-users-into-their-homes

Update, I commented out the other additions that I made to the sshd_config and rebooted, now I can ssh as root

What have I done wrong?

Update, I was able to get in via the control panel as username root and commented out that line but I’m still unable to SSH from my console software

Actually I tried that (username root) and couldn’t get in that way either. It says “login incorrect”

@CraigyDavi

I tried out these instructions but after restarting Linux sudo reboot I am no longer able to SSH to the droplet.

$ ssh root@***.***.***.***
ssh: connect to host ***.***.***.*** port 22: Connection refused

Thoughts?

Thanks heaps and heaps - I’m looking forward to trying this out tomorrow. I’ll report back!

@GeckoDesigns

I am assuming that you want clients to be able to edit everything in /var/www/johnsmith.com/public_html.

Make sure that when you create a user, you make it the same name as the folder you want them to own. E.g. johnsmith owns /var/www/johnsmith/public_html

Firstly you would add a group for all the clients:

sudo groupadd clients

Then comment out this line in ```/etc/ssh/sshd_config`` (with a preceding #)`:

Subsystem sftp /usr/lib/openssh/sftp-server

and replace with:

Subsystem sftp internal-sftp

Now you would create the folder which only 1 client can edit, for example:

$ sudo mkdir /var/www/johnsmith

Create a user and add them to the “clients” group:

$ sudo adduser sftpuser
$ sudo usermod -a -G clients johnsmith

Now change their home directory (we created /var/www/johnsmith):

$ usermod -m -d /var/www/johnsmith johnsmith

Due to some security issues in openssh you need to run these commands:

$ sudo chown root /var/www/johnsmith
$ sudo chmod go-w /var/www/johnsmith
$ sudo mkdir /var/www/johnsmith/public_html
$ sudo chown johnsmith:clients /var/www/johnsmith/public_html
$ sudo chmod ug+rwX /var/www/johnsmith/public_html

Finally open up /etc/ssh/sshd_config and add these lines:

Match Group clients
  ChrootDirectory /var/www/%u
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp

Now, restart your droplet.

Make sure you check multiple time whether this works or not and that people can access the stuff they are allowed to access!

Let me know if you have further questions.

Understood. Could you give me instructions for setting that up?