Cart

/ Domain name

/ Hosting & Email

/ Your .CO.UK domain
for only £ 4.99**

Get started with your own domain names

Register now

/ Virtual Servers

/ Software

/ Networking

/ Storage

/ TransIP

/ Other

/ Latest news

Launch of new Big Storage platform

Read more
Need help?
Cart Control panel

    Sorry, we could not find any results for your search querry.

    Home VPS Configure your VPS FTP Using SFTP in Linux

    Using SFTP in Linux

    SFTP uses SSH to establish a secure connection between computers for transferring files.

    With an SFTP server you can fairly easily upload files to, or download files from, your server. This is, for example, useful for a web server to deploy website updates to your VPS or instance.

    SFTP is included by default in modern Linux distributions such as Ubuntu, Debian, AlmaLinux, Rocky Linux and CentOS Stream. In this article we show how to adjust the OpenSSH configuration so that SFTP users have no further SSH access to your server and SFTP access is restricted to a specific directory per user.

     

    Step 1

    Connect to your server via SSH, the VPS console (VPS) or the OpenStack console (OpenStack instance).

     

    Step 2

    All user accounts in Linux belong to one (or more) group(s). For security reasons, and to make it easier to manage SFTP accounts in bulk, create a group to which the SFTP users will be added:

    sudo groupadd sftp

    You’re free to change the group name as you wish. If you do, make sure to change the group name in the following steps as well.

     

    Step 3

    Next, create a user with the command below, replacing username with the actual SFTP username and /sftp with the name of the root directory to which this user will upload files (e.g. /sftp/username/files).

    sudo useradd -g sftp -d /sftp -s /usr/sbin/nologin username
sudo passwd username

    For a web hosting server, for instance, this could look like:

    sudo useradd -g sftp -d /var/www/example.com/ -s /sbin/nologin example
    
sudo passwd example
    • useradd: adds a new user
      • -g sftp: adds the new user to the sftp group
      • -d /sftp: sets /sftp as this user’s home directory
      • -s /sbin/nologin: assigns the /sbin/nologin shell, i.e. no shell login via SSH
      • username: the new user’s username
    • passwd username: set a password for the new user

     

    Step 4

    Then create the directory to which the new user can upload files.

    sudo mkdir -p /sftp/username/files

    In our earlier web hosting example, this would be:

    sudo mkdir -p /var/www/example.com/public_html
    • Adjust username to the username you chose in step 3.
    • The -p flag stands for “parent” and ensures that the intermediate directories sftp and username are created too.
    • You’re free to change the directory to another location, for example:
      • If you host a website in /var/www/example.com/public_html, you would use /var/www/example.com/public_html here
      • If you want to add an SFTP directory in a home directory, replace /sftp with /home/username/sftp, for example. Note that in this case the user must already exist.
      • If you use a media server, for example with Block Storage, you could use /mnt/bigstorage/plex-media/pictures (and/or videos / series).

     

    Step 5

    Adjust the permissions and ownership of the directories with the commands below.

    This ensures that, ultimately, the SFTP user only has rights to perform actions in /sftp/username/files, and not in the parent directories.

    sudo chmod 500 /sftp 
sudo chmod 700 /sftp/username/files
sudo chown root:root /sftp/username
sudo chown username:sftp /sftp/username/files
    • chmod 500 /sftp: Grant only the owner of /sftp read and execute rights to the /sftp directory.
    • chmod 700 /sftp: Grant only the owner of /sftp/username/files read, write and execute rights in the /sftp/username/files directory
    • chown root:root /sftp/username: Make root the owner and group owner of /sftp/username
    • chown username:sftp /sftp/username/files: Make the user “username” and the group “sftp” (the group to which username belongs) the owners of /sftp/username/files

     

    Step 6

    Finally, a small adjustment is needed to your SSH server configuration. First open the configuration, for example:

    sudo nano /etc/ssh/sshd_config

     

    Step 7

    Scroll all the way to the bottom and add the lines below.

    AllowGroups ssh sftp
Match Group sftp
ChrootDirectory /sftp/%u
ForceCommand internal-sftp

    Users in the sftp group will then automatically be placed in the /sftp/u% directory, where u% is (automatically) the name of the user who logs in.

    Save the changes and exit nano with ctrl + > > enter.

    In our earlier web hosting example you would use the following code:

    AllowGroups sftp sshd
Match Group sftp
ChrootDirectory /var/www/%u.com
ForceCommand internal-sftp -d /public_html

     

    Step 8

    Finally, reload your SSH server to apply the change:

    systemctl restart sshd

     

    You can now connect to your server via SFTP! Make sure you select SFTP as the protocol in your SFTP software instead of FTP/FTPS. You also use your SSH port instead of your FTP port. If you’re not sure which port this is, you can find it on your server with:

    cat /etc/ssh/sshd_config | grep Port

    Was this article helpful?


    Provide feedback about this article

    Need help?

    Receive personal support from our supporters

    Contact us