In attempt to create a new user and restrict its access to SFTP, and access only to a specified direction, I found the question referenced in the link on the next line. Following the solution posted to this question (https://www.digitalocean.com/community/questions/how-do-i-restrict-a-user-to-a-specific-directory) I successfully created a new user and group which I want to restrict to a specified “home” directory.
I followed each step carefully, including the second part of Step 5, which states, “If that line does not exist, …” and since the line DOES exist, I did not include the below text in my SSHD config:
Subsystem sftp internal-sftp
Match group sftpusers
ChrootDirectory %h
ForceCommand internal-sftp
I continued following the step-by-step and restarted SSH. I checked to make sure the user existed in the correct directory with ‘/etc/passwd’ and it all checked out. Created a new droplet for this user in my FTP program and it wouldn’t log in. Went back to Terminal and my connection (from sudoer) was broken. Login with new user didn’t work - as I had hoped; but then login from sudoer didn’t work either - connection refused. Login with root returned same results.
I am really hoping this is not as bad as it seems, and hoping someone here can help out.
Thanks! River
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
That’s actually one of the mini-guides I wrote, so I’ll do my best to help where possible :-).
The first thing to note is that spacing matters, so when you see:
Subsystem sftp internal-sftp
Match group sftpusers
ChrootDirectory %h
ForceCommand internal-sftp
You need to use the same spacing that I used in the guide. I use a standard tab, which is 4 spaces.
If you are using password-based authentication, I’d recommend using this instead (again, four spaces indent the second through sixth lines with four spaces).
Match group sftpusers
Subsystem sftp internal-sftp
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTCPForwarding no
PasswordAuthentication yes
The above needs to go below:
UsePAM yes
So what you should end up with is something that looks like this:
Subsystem sftp internal-sftp
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
Match group sftpusers
Subsystem sftp internal-sftp
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTCPForwarding no
PasswordAuthentication yes
Once the changes have been made, restart ssh using service ssh restart. You should be able to use password authentication on users that you’ve added to the sftpusers group as of now if the users have been configured correctly.
If you are trying to create an SFTP user who is also a sudo user (which I don’t recommend, for the sake of security), you need to append the user to the group instead of add them as is shown in that guide.
…
For example, let’s say we created a user named jtittle (my username here on the community)
useradd -d /home/jtittle jtittle
If I wanted to add that user to the sudo group, I’d append that group on so I don’t change the main group (which would be jtittle).
usermod -aG sudo jtittle
Now if I wanted to add that user to the sftpusers group as well, I’d append that group using -aG again.
usermod -aG sftpusers jtittle
…
I’m active here in the community, so don’t be afraid to @jtittle tag me if you see a post of mine and want to flag me with the question :-).
Hi @jtittle
I managed to get back into my server via my sudoer. (Apparently it is just a temporary connection refusal for 15 minutes or so; perhaps a security protocol with my VPS provider.) Here is what my SSHD config file looks like now:
UsePAM yes
Subsystem sftp internal-sftp
Match group sftpusers
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTCPForwarding no
PasswordAuthentication yes
After writing and quitting, and restarting the SSH service, I was able to login with root via SFTP. I then tried to login with the user I had created in the group sftpusers, with the specified root directory entered into the appropriate field in my FTP program. The password was not accepted, so I tried removing the root directory. The connection was refused and now I am completely blocked from my server again - kicking me out of my sudo SSH connection in Terminal as well.
What have I done wrong?
Thanks, River
SFTP and FTP are entirely different protocols, so if you’re attempting to login using FTP without FTP setup, the login will fail. Likewise, the same would apply if you were trying to login using SFTP when FTP was the only method available.
When you try to login using SFTP, you must use the same port that you use to login to SSH. If you’ve not changed that port, it’d be 22 (as 22 is the default port for SSH).
Depending on what you’re using to login, you may also need to explicitly specific SFTP as the means of login. I know FileZilla differentiates between the two via a drop-down menu.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.