Limit a sftp account to his home folder

I’m creating a droplet using the Wordpress image. I want to create a sftp user that can access the theme folder (/var/www/html/wp-content/themes) but in the same time not access the plugin folder (/var/www/html/wp-content/plugins/).

This is what i did so far sudo useradd -d /var/www/html/wp-content/themes newuser passwd newuser

in /etc/ssh/sshd_config i added

Subsystem sftp /usr/lib/openssh/sftp-server Match User newuser ChrootDirectory %h AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp

I can connect with the new sftp user but the user can navigate and reach the plugin folder.

How can i prevent that and limit this user to this home folder (var/www/html/wp-content/themes) .

Is there a way i can “exclude” a folder ?

Thank you

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hello, @crerem

You can easily configure this by following this tutorial:

The part which you are missing is Step 3 — Restricting Access to One Directory

What you need to do is to edit the /etc/ssh/sshd_config file and apply the following changes:

Match User sammyfiles
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no


Match User tells the SSH server to apply the following commands only to the user specified. Here, we specify sammyfiles.

ForceCommand internal-sftp forces the SSH server to run the SFTP server upon login, disallowing shell access.

PasswordAuthentication yes allows password authentication for this user.

ChrootDirectory /var/sftp/ ensures that the user will not be allowed access to anything beyond the /var/sftp directory.

AllowAgentForwarding no, AllowTcpForwarding no. and X11Forwarding no disables port forwarding, tunneling and X11 forwarding for this user.

This set of commands, starting with Match User, can be copied and repeated for different users too. Make sure to modify the username in the Match User line accordingly.

Note: You can omit the PasswordAuthentication yes line and instead set up SSH key access for increased security. Follow the Copying your Public SSH Key section of the SSH Essentials: Working with SSH Servers, Clients, and Keys tutorial to do so. Make sure to do this before you disable shell access for the user. In the next step, we’ll test the configuration by SSHing locally with password access, but if you set up SSH keys, you’ll instead need access to a computer with the user’s keypair.

To apply the configuration changes, restart the service.

sudo systemctl restart sshd

You have now configured the SSH server to restrict access to file transfer only for sammyfiles. The last step is testing the configuration to make sure it works as intended.

Please make sure to change the sammyfiles user with your actual username.

Hope this helps!

Regards, Alex