In this post, I’ll show you how to set up secure ftp (SFTP) access to your Ubuntu server. (Instructions for Debian are very similar: leave out the sudo part and follow these steps as root:)
For this to work, you’ll need Ubuntu 8.10 “Intrepid”, Debian 5.0 “Lenny” or newer. In this example, mark is the user that can gain superuser rights through sudo. “peter” and a few other users are the ones I want to give sftp access to their personal folder, but not shell access or anything else.
Step 1: If it doesn’t exist yet, create a group for the users you want to have sftp access only:
mark@neuskeutel:~$ sudo groupadd sftponly
Step 2: Add user “peter” to this group:
mark@neuskeutel:~$ sudo adduser peter sftponly
Step 3: Install openssh-server if it’s not installed yet.
mark@neuskeutel:~$ sudo apt-get install openssh-server
Step 4: Open the default OpenSSH server configuration for editing:
mark@neuskeutel:~$ sudo nano /etc/ssh/sshd_config
Step 5: Change the default sftp server from:
Subsystem sftp /usr/lib/openssh/sftp-server
to
Subsystem sftp internal-sftp
Step 6: Some users can only use sftp, but not other OpenSSH features like remote login. Let’s create a rule for that group of users (we’ll create the group afterwards). Add the following section to the bottom of /etc/ssh/sshd_config:
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Step 7: Pass ownership of peter’s directory you want to be sftp accessible to the superuser:
mark@neuskeutel:~$ sudo chown root.root /home/peter
Step 8: Now we change peter’s home directory (normally /home/peter) to /:
sudo usermod -d / peter
Step 9: Repeat steps 2, 7 and 8 for any other users that you want to give sftp access.
Fantastic site. I find Voice over IP very interesting. I don’t have time to read everything here right now, I found this site when looking for something else on Ask.com, but I’ve bookmarked your homepage and will check back soon to see the latest articles. I have learned a lot in implementing a small VoIP network at home, and am thinking of starting VoIP business in my area. There are a number of small businesses in my region that would benefit from it greatly. Visit my site if you’d like to read more. Thanks again for this blog – it is really educational.
Thanks for this tutorial.
I tested it and it’s ok.
The sftp works only in download mode.
I need also a variation about this configuration of sftp jail.
If the user “peter” needs also to write into his home jailed directory, how is possible to change the configuration?
I tried to modify permission with chmod 766 or 777 or to change the owner of /home/peter but when I modified this the sftp doesn’t work all.
I tried also to create a new_group with root and peter and I changed the owner as root:new_group and the permission of the group in write mode, but it doesn’t work.
Do you can light me about this problem ?