1). If you’ll see the mini guide below, you’ll be able to knock this out relatively quickly :-). This will also set you up for #2 as well, if #2 is what you’re wanting.
2). SCP requires SSH, so you wouldn’t be able to allow SCP and deny SSH. If you meant SFTP, then yes, you can deny SSH access and still allow SFTP.
First thing, launch PuTTy, Terminal or your preferred application to access your Droplet and login as either
root or your
1). First, we need to create a new group for SFTP users. To this group, we add users that will be able to connect to SFTP. Only users added to this group will be able to SFTP in to your server (of course, this does not limit the
root user – you do not want to add
root to this group, nor modify the
root user at all). To do this, we’ll use the following command:
You can, of course, choose another group name if you’d like. The name of the group doesn’t have to be
sftpusers (it could be anything, as long as the group does not already exist).
2). Now that we have our SFTP group, we can use the following command to add new users to that group, thus, once we’re done, allowing them to use SFTP.
useradd -g sftpusers -d /path/to/users/home -s /sbin/nologin username```
-g specifies the group name (referencing the group we just created in #1).
-d specifies the users home directory (i.e.
/home/username/htdocs/public_html for example)
-s specifies shell access (/sbin/nologin means SSH is disabled for this user, as it should be)
The last part of the command,
username, is the username of the user you’d like to add. So, for example, if I wanted to create a new user by the name of
exampleuser, and a directory of
/home/exampleuser/htdocs/public_html, I’d run:
useradd -g sftpusers -d /home/exampleuser/htdocs/public_html -s /sbin/nologin exampleuser
3). Verify the user by checking
/etc/passwd. The newly created user should appear the bottom of the list.
grep exampleuser /etc/passwd
4). If you’d like to modify an existing user, we can use the following command:
usermod -g sftpusers -d /path/to/users/home -s /sbin/nologin existinguser
-d to the users home directory and
existinguser to the user you wish to modify.
5). We now need to modify our SSH Configuration to allow SFTP (as this is often no enabled by default, at least for users other than
root). To do this, we need to load up our SSH configuration file.
sudo nano /etc/ssh/sshd_config
If you see:
Subsystem sftp /usr/libexec/openssh/sftp-server
Comment it out like so:
#Subsystem sftp /usr/libexec/openssh/sftp-server
If that line does not exist, simply add the following to the end of the file:
Subsystem sftp internal-sftp
Match group sftpusers
What this does is set SSH to allow SFTP, requires that the users usergroup match
sftpusers, sets the SFTP directory to their specified home directory (the one we set when we either created or modified the user) and forces the use of the internal SFTP server. This prevents us from having to use another piece of software to handle SFTP.
Now we need to restart SSH by issuing:
sudo service ssh restart
6). Now that we have everything setup, we need to make one final modification to the permissions we have set on our directories (this would need to be done for each user).
For this example, I’ll use the home directory I referenced above
For SFTP to properly work, we need to make sure the home directory is owned by the user and group we just set, everything else needs to be owned by
root. So if we set our home directory to the above, we need to run:
chown -R examplegroup:sftpusers /home/exampleuser/htdocs/public_html
You can verify the ownership changing over to
So you should see the following ownership when running the
ls -al command:
If that’s what you see, you should now be able to SFTP in as
exampleuser using your Droplet IP and the password you set for this user. If you’ve not yet set a password, you can use the
passwd command from the CLI:
and you’ll be prompted to set a password.
If you need any help or are confused by any of the above, just let me know and I’ll be more than happy to help!