Tag Archives: System Administration

Setting up an SFTP-only account with OpenSSH

There are many guides on creating SFTP-only accounts, however I found that most of them are outdated and do not make use of the features of OpenSSH. In this HOWTO I describe how I setup an SFTP account to allow a group of users to collaboratively maintain a website.


For my SFTP account I had the following requirements:

  1. Support public key authentication;
  2. Use a chroot environment;
  3. Enforce SFTP only.


First of all we need to create a group that is used to match the SFTP only users:

sudo groupadd -r sftponly

Now our users need to be made member of the sftponly group, when you create a new user you should use the -G sftponly option on the useradd command:

sudo useradd -m -G sftponly -b /home -s /bin/sh -c 'SFTP account for username' username

If you turn an existing user into an sftponly user you should user the options -a -G sftponly to the usermod command:

sudo usermod -a -G sftponly username

We also need to create the directory into which we will chroot our users, this directory must not be writeable for any of the chroot users, so keep root as owner:

sudo mkdir -p /path/to/chroot
sudo chmod 0755 /path/to/chroot

For each user we need to create a directory into which they can write:

sudo mkdir -p /path/to/chroot/username
sudo chown username:username /path/to/chroot/username
sudo chmod 0700 /path/to/chroot/username

Next, you need to edit the /etc/ssh/sshd_config SSHD configuration and add a new Match to enforce sftp for members of the sftponly group.

Match Group sftponly
  ForceCommand internal-sftp
  ChrootDirectory /path/to/chroot
  PubkeyAuthentication yes

Finally we need to install the user’s public key in the home directory of the user. The public key is generated with the command ssh-keygen, and will be found in the home directory (~/.ssh/id_rsa.pub) of the user on his own computer. This file needs to be copied into the file containing the authorized keys on the server (~/.ssh/authorized_keys).

sudo mkdir ~username/.ssh
sudo chown username:username ~username/.ssh
sudo chmod 0700 ~username/.ssh
sudo cat id_rsa.pub >> ~username/.ssh/authorized_keys
sudo chown username:username ~username/.ssh/authorized_keys


With these steps I created a highly secured environment that allows users to upload files. This setup has significant advantages over old-fashioned FTP accounts. It is more secure than the plain text authentication of traditional FTP; it is more firewall friendly since it will only use a single port (22/tcp) and it does away with password authentication, which is one mayor risks on the internet.