Newbie - How to add an SFTP user (using SSH key to login) who has access to specific folder in the server?

Posted September 11, 2014 26.2k views

Hi, I managed to create a droplet with SSH public/private keys from the beginning using this tutorial. Obviously, those SSH keys are assigned only for ‘root’ user, so I’d like to add an additional sudo user who can access ONLY /var/www/ (the default folder for the site’s frontend) folder using Filezilla SFTP with SSH key (no password allowed).

So the question is, how do I pull this off? Is there any tutorial that addresses this? Can the sudo user share the same public/private SSH keys as root? If not, how do I add additional keys without interfering with the existing ones? Thanks in advance!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

To limit an SFTP user to a specific directory, you can edit /etc/ssh/sshd_config to include:

Match User username
    ChrootDirectory /var/www/
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Then restart ssh:

service ssh restart 

If you want the same public key that can access your root account to also be able to access the new user account, you can copy over the authorized_keys file. Run:

mkdir -p /home/username/.ssh/
cp /root/.ssh/authorized_keys /home/username/.ssh/authorized_keys
  • Hi, I made the changes as instructed but for some reason both Putty and Filezilla refuse access due to invalid public key. I log in Putty and Filezilla using root’s SSH keys without problem, so it’s strange why it’s not accepting username although the authorized keys are the same.

    I also notice that X11Forwarding is set as Yes by default in /etc/ssh/sshd_config. Should I disable that line first (by commenting it #) before inserting the codes you suggested? Or are those 2 X11Forwarding lines independent to each other, since the no one is within Match User username? BTW, are all the commands below Match User username independent from the rest of the commands in sshd_config? Thanks again!!

  • /var/log/auth.log might give you a better idea of what the problem might be. It’s likely you need to change the ownership of the /var/www/ directory.

    Everything under the Match User block is independent and only applies to that user.

  • Thank you for the Match User clarification! Always learn something new :)

    I’m still can’t log in after starting over from scratch (via restored snapshot). This is what /var/log/auth.log says:

    Sep 13 20:35:38 MyAccount sshd[1730]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
    Sep 13 20:35:39 MyAccount sshd[1730]: error: Received disconnect from 11: No supported authentication methods available [preauth]
    Sep 13 20:36:07 MyAccount sshd[1732]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
    Sep 13 20:36:08 MyAccount sshd[1732]: Accepted publickey for root from port 64054 ssh2: RSA 24:4a:c5:78:22:f7:36:99:bc:5a:9f:1a:ae:87:68:f7
    Sep 13 20:36:23 MyAccount sshd[1735]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
    Sep 13 20:36:24 MyAccount sshd[1735]: Accepted publickey for root from port 64056 ssh2: RSA 24:4a:c5:78:22:f7:36:99:bc:5a:9f:1a:ae:87:68:f7

    BTW, the port I use to log via Putty is not 64056. Maybe that’s the culprit? I don’t know how that number came up. Also, my key bits is 2048, not 1024. Would that be the cause of the problem, too?

    This is my current /etc/nginx/sites-available/default:

    server {
        listen 80;
        return 301 $scheme://$request_uri;
    server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;
        root /var/www/;
        index index.php index.html index.htm;
        location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
            expires 365d;
        location / {
            try_files $uri $uri/ =404;
        error_page 404 /404.html;
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
            root /usr/share/nginx/html;
        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_index index.php;
            include fastcgi_params;

    And this is my current /etc/ssh/sshd_config:

    #not port 22
    Port 12345
    Protocol 2
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key
    UsePrivilegeSeparation yes
    KeyRegenerationInterval 3600
    ServerKeyBits 1024
    SyslogFacility AUTH
    LogLevel INFO
    LoginGraceTime 120
    PermitRootLogin without-password
    StrictModes yes
    RSAAuthentication yes
    PubkeyAuthentication yes
    IgnoreRhosts yes
    RhostsRSAAuthentication no
    HostbasedAuthentication no
    PermitEmptyPasswords no
    ChallengeResponseAuthentication no
    PasswordAuthentication no
    X11Forwarding yes
    X11DisplayOffset 10
    PrintMotd no
    PrintLastLog yes
    TCPKeepAlive yes
    AcceptEnv LANG LC_*
    Subsystem sftp /usr/lib/openssh/sftp-server
    UsePAM no
    UseDNS no
    AllowUsers root username
    Match User username
        ChrootDirectory /var/www/
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

    I also transferred ownership to the folder by using this code (via this tutorial):

    sudo chown -R $USER:$USER /var/www/

    Any help is appreciated! Thanks again!