You can use $ tail -F /var/log/auth.log
to debug any problems.
Creating a new partition (optional)
Depending on whether or not to do is is up to you. I’d recommend Making a new partition if:
- Storing a lot data you don’t wanna lose when the server OS breaks
- Extra security, you can create an encrypted partition
Creating the user
$ sudo adduser --shell /usr/sbin/nologin [USER]
You can create a random password for the accounts since they aren’t used anyway. Add their SSH key to their home directory.
Creating a group (optional)
If you don’t want to create a group you can skip this step.
$ sudo groupadd [GROUP]
$ sudo usermod -aG [GROUP] [USER]
Creating the directories
We need to create a directory to store the password database in. We also need to create a directory to chroot the user in, so it can’t access anything else on the server.
$ sudo mkdir -p /var/sftp/files/
$ sudo chown root:root /var/sftp/
$ sudo chown [USER/root]:[USER/GROUP] /var/sftp/files/
$ sudo chmod -R ug+rwx /var/sftp/files/
$ sudo chmod -R o-rwx /var/sftp/files/
root
has to own every parent directory for the folder so it has to own var/
and sftp/
If you have created a group, set the group bit to the file /var/sftp/files/
folder to allow anyone in the group to upload and access any file.
$ sudo chmod g+s /var/sftp/files/
The users have to put the files inside of the files/
folder they can’t create or modify anything in the sftp/
directory, that’s where the files/
directory comes in.
If you have a main SSH user that also needs access to that allow “other” to “execute” the parent folders and specify the SFTP directory in Filezilla.
Setting up SFTP
We need to configure the SSH server to only allow SFTP for the user by adding this to the bottom of the /etc/ssh/sshd_config
file.
Match <User [USER] / Group [GROUP]>
ForceCommand internal-sftp [-u <umask>]
PasswordAuthentication no
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
If you want the files to have default permissions, add a umask to the ForceCommand
. You can get a list of the umasks here↗.
Now we just need to restart the SSH server to apply the changes.
$ sudo systemctl restart sshd
Removing a user
If you wanna get rid of a user you can just delete the user account or remove them from the SFTP group.
Deleting the user account
$ sudo deluser [USER]
If you wanna remove the home directory use the --remove-home
switch.
Deleting user from group
$ sudo gpasswd -d [USER] [GROUP]
Deleting the entire group
$ sudo delgroup [GROUP]