Search

How to Create an SFTP User with Limited Access on Ubuntu

    Sumit Pore
Listen to this article
restrict-ubuntu-sftp-user
Limit Access of an SFTP User

Hey Folks, I am back. I’ve been busy with client commitments, so didn’t have much time (not that I have a lot now, so let’s get straight to the point).

As a developer, some day or another, you will or already have come across a situation where a client has asked you for FTP access of your development site/server. The reason could be any… I’ve had some clients tell me:

  • I want to check the quality of your code…. okay
  • I want to add a new plugin…. ummm….. fine
  • I want to add some functionality developed by another vendor…. oookkaayy
  • I want to edit the code in some plugin….. oh…ok (panic mode on!)

Whatever the reason might be, you will have to grant access. But if you host all development sites on a single server, then you would be keen towards giving your client restrictive access to the server. This would mean the client would have access only to the directory allotted to him.

Since SFTP is secure than FTP, we always prefer the SFTP setup rather than FTP setup. (If you are new to SFTP, you can read about the key difference between FTP and SFTP. Others, read on.)

Restrictive SFTP User

Please note, the below process is applicable to Ubuntu, and I assume you have already created the site 😀

Let’s assume the root directory of your site is /home/yoursite.com. So when running the below commands, change /home/yoursite.com to your site’s root directory.

Create a New User

Now, lets create a new user named ‘client_user’ and assign that user /home/yoursite.com directory as a home directory. Fire up your terminal to connect to your server. Once you are connected, below command can be used to create a user. Make sure you replace client_user with the username you prefer and /home/yoursite.com with the directory you want to assign to that user.

sudo useradd -d /home/yoursite.com client_user

(Interested in reading about other options which can be passed to useradd? If yes, then you can read through these examples.)

Set a Password

Once the user is created, we need to set a password. To set a password for that user, execute the below command

sudo passwd client_user

We are ready with the new user now. Its time to make some changes in our SSH configuration.

Restrict Access

Open the /etc/ssh/sshd_config file and append the below given code. (Remember to replace client_user with username you have created)

subsystem sftp internal-sftp
Match User client_user
ChrootDirectory %h
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp

%h stands for home directory.

After doing the above changes, save the file and restart the SSH service. To restart SSH service, execute

sudo service ssh restart

[space]

Done! Now try logging into the system with the new user’s credentials, and check if everything is working correctly.

One last tip: For those of you who get a ‘fatal: bad ownership or modes for chroot directory’ error, do not worry. When this issue occurs, we need to make sure that the home directory of a user is owned by root and no one else can write into that directory. So change the owner of home directory using the following commands:

sudo chown root:root /home/yoursite.com
sudo chmod 755 /home/yoursite.com

After changing the permissions, try it again. If it still does not work for you, do leave your comments. I will be more than happy to help you 🙂

Sumit Pore

Sumit Pore

3 Responses

    1. The key here, for the next guy, is to place the new lines in the sshd_config file AFTER the ‘UsePAM yes’ line, to avoid mucking up your SSH access.

      Also, it is a generally good idea to have an SSH session open besides the one you are using to do changes when those changes are to SSH, the method you use to access and make changes to start with, just in case…

Leave a Reply

Your email address will not be published. Required fields are marked *

Get The Latest Updates

Subscribe to our Newsletter

A key to unlock the world of open-source. We promise not to spam your inbox.

Suggested Reads

Join our 55,000+ Subscribers

    The Wisdm Digest delivers all the latest news, and resources from the world of open-source businesses to your inbox.

    Suggested Reads