Setup a secondary SSH/SFTP user with limited directory access.

January 15, 2015 15.1k views

I am trying to create a new secondary user that has access to SFTP files and SSH access to a specific directory.

I have the SFTP work, but when I try to login via SSH, I get the following error: Write failed: Broken pipe

The root user uses a public/private key, but I want the secondary user to use a password.

Here is what I have so far:

useradd test
passwd test
usermod -G www-data test
usermod -d /usr/share/nginx/html test
chown test:www-data /usr/share/nginx/html

As for additions to my sshd_config:

AllowUsers test

Match User test
        ChrootDirectory /usr/share/nginx/html
        PasswordAuthentication yes
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

All I have left todo is to get the test user to be able access the CLI in their home directory to run composer and artisan commands.

  • when you ssh in, you can add -v which will give you verbose output (helps figure out the problem)

    ssh -v
  • Directory /usr/share/nginx/html must be owned by root and content into this directory must belong to test:www-data. Or you gonna get an ssh error: fatal: bad ownership or modes for chroot directory component

    So we need to execute:

    chown root:root /usr/share/nginx/html
    chown test:www-data /usr/share/nginx/html/*
  • I followed these instructions but can’t login with:


    The error message says the following:
    Could not chdir to home directory /usr/share/nginx/html: No such file or directory
    This service allows sftp connections only.
    Connection to closed.

    Does anyone know how to fix that?

3 Answers

By adding ForceCommand internal-sftp you block any access the user would have to any form of CLI, shell or terminal session. In fact, you'll even ban SCP usage in favor of only sFTP.

If your run sftp you will currently be able to list files and navigate the chroot jail and depending on permissions, read or read and write.

Does your user need a direct she'll or is sFTP sufficient?

I wanted to create a user with sftp access to a specific folder and access to a chrooted environment. How is it possible to create such a chrooted setup?

I've run those scripts buy when I try to log, I get:

myuser:~ titi# sftp
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:gF2gtBdaBGE2wS5doknd+HimlFmjHYKNO+m192iuv6w.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
Permission denied (publickey).
Connection closed

I'm missing the certificate creation or something like this?

Have another answer? Share your knowledge.