Creating SFTP accounts in Ubuntu – e.g for uploading website files
As stated before, I’m fairly new to the Linux world, but have been using it in earnest for about 18months now, and I like it. a lot.
I have recently setup a new webserver, using Cherokee on Ubuntu, and then had to undergo the task of giving SFTP access to users, so that they could upload their websites and files.
Here’s the instructions that I used, which we’re taken from http://shapeshed.com/journal/chroot_sftp_users_on_ubuntu_intrepid/
but didn’t entirely work, so I’m re-writing them with what worked on my webserver.
The process consists of 2 main steps
- create a user with the relevant settings
- setup ssh to work with the sftp group and accept inbound SFTP style connections
CREATE SFTP ACCOUNT
sudo groupadd sftp
no need to use sudo if you’re logged in as root. Bad practice, I know, but Â takes out some confusion for people.
CREATE A USER and set their home directory as the root of their website folder
sudo useradd -d /var/www/thewebsite.com username
CREATE A PASSWORD
sudo passwd username
MODIFY THE USER TO ADD THEM TO YOUR NEW SFTP GROUP
sudo usermod Â -g sftp username
MODIFY THE USER AND DENY ACCESS TO A SHELL – I.E THEY WON’T BE ABLE TO LOGIN TO A SHELL
sudo usermod -s /bin/false username
EDIT YOUR SSH CONFIG FILE
sudo vim /etc/ssh/sshd_config
CHANGE THE SUBSYSTEM line
Firstly comment out the following line
# Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Then add this to the bottom of the file
Match group sftp
at this point I decided to restart ssh just to make sure the changes were ok
sudo /etc/init.d/ssh restart
If any of the lines are formatted badly ssh may not restart.
Finally you need to set the permissions of the website folder to allow access to the files for your new user. Basically, root needs to have access to the root website folder and your new user needs access to the files and folders beneath.
My websites live in /var/www. To check I issue
This shows me that all the website root folders are owned by root root, which is correct. If they are not you need to
chown root:root thewebsite.com
Then we need to set the permissions beneath this folder for the new user. So I
chown username:sftp -R *
Now when I issue an ls-l I can see all the files owned by my user and in the group SFTP
and That’s It
Now users can be given the username and password setup, use a STFP client, such as CoreFTP Lite, and SFTP into my Ubuntu box. They ONLY have access to their folder as the root of their access is their home folder. they cannot browse anywhere else.