This is a short guide to setup a chrooted SFTP user group and server on Ubuntu. It has been tested on Ubuntu 16.04 but should work with 14 and 18.
Let’s start by logging in as root,
% sudo -s
Add a user,
% adduser <username>
You will be prompted for a password. This will allow access to the server via password authentication.
Create an SFTP group,
% groupadd sftpusers
Now let’s add our user to the group,
% usermod -a -G sftpusers <username>
Create directories to where file sharing will occur. We want to prevent our SFTP users from being able to access the rest of our file system so we will restrict the user to a single folder.
I like to create a root /sftp folder and have that be the chrooted directory.
% mkdir /sftp
Most of the time we need an incoming and an outgoing folder for files.
% mkdir /sftp/shared % mkdir /sftp/shared/incoming % mkdir /sftp/shared/outgoing
If this SFTP will be multipurpose, you may want to add additional folders in the
incoming and outgoing to folders, fore example
First we will restrict the writing to
sftp to only the folder owner,
% chmod 755 /sftp
Let’s make sure root owns the
% chown root:root /sftp
Now we need to give our SFTP users access to the shared folder and subfolders through our group.
% chown root:sftpusers -R /sftp/shared
We still need to allow our SFTP users to write to the incoming folders,
% chown <username>:sftpusers -R /sftp/shared/incoming/
Pay close attention to the file name and the
% vim /etc/ssh/sshd_config
Find the section with
Subsystem sftp /var/lib/openssh/sftp-server and comment
it out, i.e.
#Subsystem sftp /var/lib/openssh/sftp-server.
Add the line below the commented out line,
Subsystem sftp internal-sftp
Head to the bottom of the file and add the following lines,
Match Group sftpusers ChrootDirectory /sftp X11Forwarding no AllowTcpForwarding no AllowAgentForwarding no ForceCommand internal-sftp PasswordAuthentication yes
Save and exit.
Restart the SSH Server
% /etc/init.d/ssh restart
That’s it, you should now be able to sftp to the server using the username and password you created.
% sftp email@example.com /> password: sftp >