DigitalOcean

Report this

What is the reason for this report?
Question

Setup a secondary SSH/SFTP user with limited directory access.

Posted on January 15, 2015
chrisatlchris

By chrisatlchris

I am trying to create a new secondary user that has access to SFTP files and SSH access to a specific directory.

I have the SFTP work, but when I try to login via SSH, I get the following error: Write failed: Broken pipe

The root user uses a public/private key, but I want the secondary user to use a password.

Here is what I have so far:

useradd test
passwd test
usermod -G www-data test
usermod -d /usr/share/nginx/html test
chown test:www-data /usr/share/nginx/html

As for additions to my sshd_config:

AllowUsers test

Match User test
        ChrootDirectory /usr/share/nginx/html
        PasswordAuthentication yes
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

All I have left todo is to get the test user to be able access the CLI in their home directory to run composer and artisan commands.



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
virtualexx
virtualexx
July 9, 2017

I executed

useradd test
passwd test
usermod -G www-data test
usermod -d /usr/share/nginx/html test
chown test:www-data /usr/share/nginx/html/*

sshd_config:

AllowUsers test
Match User test
        ChrootDirectory /usr/share/nginx/html
        PasswordAuthentication yes
        X11Forwarding no
        AllowTcpForwarding no

sudo systemctl restart ssh

And the new user still can navigate to any folder outside /usr/share/nginx/html

0
raulrecinosm
raulrecinosm
November 10, 2017

On RHEL dont work :(

0
relativeparallax
relativeparallax
April 12, 2016

By adding ForceCommand internal-sftp you block any access the user would have to any form of CLI, shell or terminal session. In fact, you’ll even ban SCP usage in favor of only sFTP.

If your run sftp test@xxx.xxx.xxx.xxx you will currently be able to list files and navigate the chroot jail and depending on permissions, read or read and write.

Does your user need a direct she’ll or is sFTP sufficient?

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.