Newbie - How to add an SFTP user (using SSH key to login) who has access to specific folder in the server?

September 11, 2014 17.8k views
Okidoki
By:
Okidoki

Hi, I managed to create a droplet with SSH public/private keys from the beginning using this tutorial. Obviously, those SSH keys are assigned only for ‘root’ user, so I’d like to add an additional sudo user who can access ONLY /var/www/website.com/html (the default folder for the site’s frontend) folder using Filezilla SFTP with SSH key (no password allowed).

So the question is, how do I pull this off? Is there any tutorial that addresses this? Can the sudo user share the same public/private SSH keys as root? If not, how do I add additional keys without interfering with the existing ones? Thanks in advance!

Log In to Comment
1 Answer
asb MOD September 11, 2014

To limit an SFTP user to a specific directory, you can edit /etc/ssh/sshd_config to include:

Match User username
    ChrootDirectory /var/www/website.com/html
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Then restart ssh:

service ssh restart

If you want the same public key that can access your root account to also be able to access the new user account, you can copy over the authorized_keys file. Run:

mkdir -p /home/username/.ssh/
cp /root/.ssh/authorized_keys /home/username/.ssh/authorized_keys
Reply
  • Okidoki September 12, 2014

    Hi, I made the changes as instructed but for some reason both Putty and Filezilla refuse access due to invalid public key. I log in Putty and Filezilla using root’s SSH keys without problem, so it’s strange why it’s not accepting username although the authorized keys are the same.

    I also notice that X11Forwarding is set as Yes by default in /etc/ssh/sshd_config. Should I disable that line first (by commenting it #) before inserting the codes you suggested? Or are those 2 X11Forwarding lines independent to each other, since the no one is within Match User username? BTW, are all the commands below Match User username independent from the rest of the commands in sshd_config? Thanks again!!

  • asb MOD September 12, 2014

    /var/log/auth.log might give you a better idea of what the problem might be. It’s likely you need to change the ownership of the /var/www/website.com/html directory.

    Everything under the Match User block is independent and only applies to that user.

  • Okidoki September 14, 2014

    Thank you for the Match User clarification! Always learn something new :)

    I’m still can’t log in after starting over from scratch (via restored snapshot). This is what /var/log/auth.log says:

    Sep 13 20:35:38 MyAccount sshd[1730]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Sep 13 20:35:39 MyAccount sshd[1730]: error: Received disconnect from 11.11.11.111: 11: No supported authentication methods available [preauth]
Sep 13 20:36:07 MyAccount sshd[1732]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Sep 13 20:36:08 MyAccount sshd[1732]: Accepted publickey for root from 11.11.11.111 port 64054 ssh2: RSA 24:4a:c5:78:22:f7:36:99:bc:5a:9f:1a:ae:87:68:f7
Sep 13 20:36:23 MyAccount sshd[1735]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Sep 13 20:36:24 MyAccount sshd[1735]: Accepted publickey for root from 11.11.11.111 port 64056 ssh2: RSA 24:4a:c5:78:22:f7:36:99:bc:5a:9f:1a:ae:87:68:f7

    BTW, the port I use to log via Putty is not 64056. Maybe that’s the culprit? I don’t know how that number came up. Also, my key bits is 2048, not 1024. Would that be the cause of the problem, too?

    This is my current /etc/nginx/sites-available/default:

    server {
    listen 80;
    server_name website.com;
    return 301 $scheme://www.website.com$request_uri;
}

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;

    root /var/www/website.com/html;
    index index.php index.html index.htm;

    server_name www.website.com;

    location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
        expires 365d;
    }

    location / {
        try_files $uri $uri/ =404;
    }

    error_page 404 /404.html;

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

}

    And this is my current /etc/ssh/sshd_config:

    #not port 22
Port 12345
Protocol 2

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

UsePrivilegeSeparation yes

KeyRegenerationInterval 3600
ServerKeyBits 1024

SyslogFacility AUTH
LogLevel INFO

LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes

IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no

PermitEmptyPasswords no

ChallengeResponseAuthentication no

PasswordAuthentication no

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM no

UseDNS no
AllowUsers root username

Match User username
    ChrootDirectory /var/www/website.com/html
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

    I also transferred ownership to the folder by using this code (via this tutorial):

    sudo chown -R $USER:$USER /var/www/website.com/html

    Any help is appreciated! Thanks again!

Have another answer? Share your knowledge.