Setting up a secure SFTP server with restricted user access is a common requirement for businesses that need to provide file upload capabilities to clients or partners. In this guide, we'll walk through creating an SFTP user with key-based authentication and access limited to a specific directory.
Why Use SFTP with Restricted Access?
SFTP (SSH File Transfer Protocol) provides several advantages over traditional FTP:
- Encrypted data transmission
- Key-based authentication for enhanced security
- Ability to restrict users to specific directories (chroot jail)
- Built-in with SSH, no additional software required
Prerequisites
- Ubuntu server with SSH access
- Root or sudo privileges
- Public key from the user who will access the SFTP server
Step 1: Create the SFTP User
First, let's create a dedicated user for SFTP access. We'll use /bin/false as the shell to prevent SSH login while allowing SFTP:
sudo useradd -m -s /bin/false fileupload_userThis creates a user named fileupload_user with a home directory but no shell access.
Step 2: Set Up the Directory Structure
For SFTP chroot to work properly, we need to create a specific directory structure with correct ownership and permissions:
# Create the main SFTP directory (must be owned by root)
sudo mkdir -p /var/sftp_files
sudo chown root:root /var/sftp_files
sudo chmod 755 /var/sftp_files
# Create the upload directory where user can write files
sudo mkdir -p /var/sftp_files/uploads
sudo chown fileupload_user:fileupload_user /var/sftp_files/uploads
sudo chmod 755 /var/sftp_files/uploadsImportant: The chroot directory (/var/sftp_files) must be owned by root for security reasons. Only subdirectories can be owned by the SFTP user.
Step 3: Configure SSH for SFTP
Edit the SSH daemon configuration file:
sudo nano /etc/ssh/sshd_configAdd the following configuration at the end of the file:
# Ensure key-based authentication is enabled
PubkeyAuthentication yes
PasswordAuthentication no
# SFTP subsystem (usually already present)
Subsystem sftp internal-sftp
# Configuration for our SFTP user
Match User fileupload_user
ChrootDirectory /var/sftp_files
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
PasswordAuthentication noThis configuration:
- Restricts the user to the
/var/sftp_filesdirectory - Forces SFTP-only access (no shell)
- Disables port forwarding and X11 forwarding
- Ensures only key authentication is used
Step 4: Set Up SSH Key Authentication
Create the SSH directory structure for the user:
# Create .ssh directory
sudo mkdir -p /home/fileupload_user/.ssh
sudo chown fileupload_user:fileupload_user /home/fileupload_user/.ssh
sudo chmod 700 /home/fileupload_user/.ssh
# Create authorized_keys file
sudo touch /home/fileupload_user/.ssh/authorized_keys
sudo chown fileupload_user:fileupload_user /home/fileupload_user/.ssh/authorized_keys
sudo chmod 600 /home/fileupload_user/.ssh/authorized_keysStep 5: Add the Public Key
Add the user's public key to the authorized_keys file:
sudo nano /home/fileupload_user/.ssh/authorized_keysPaste the public key provided by your user. It should look something like:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7... user@hostnameor for Ed25519 keys:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... user@hostnameStep 6: Restart SSH Service
Apply the configuration changes:
sudo systemctl restart sshVerify the service started successfully:
sudo systemctl status sshStep 7: Test the Connection
The user can now connect using their private key:
sftp -i /path/to/private_key fileupload_user@your_server_ipOnce connected, they should see the uploads directory and be able to navigate into it:
sftp> ls
uploads
sftp> cd uploads
sftp> put localfile.txtSecurity Best Practices
1. Key Management
- Use strong key pairs (RSA 4096-bit or Ed25519)
- Regularly rotate keys
- Store private keys securely
2. Directory Permissions
Always verify your directory permissions:
# Check the chroot directory (should be root:root 755)
ls -ld /var/sftp_files
drwxr-xr-x 3 root root 4096 Jan 15 10:30 /var/sftp_files
# Check the upload directory (should be user:user 755)
ls -ld /var/sftp_files/uploads
drwxr-xr-x 2 fileupload_user fileupload_user 4096 Jan 15 10:31 /var/sftp_files/uploads3. Monitoring and Logging
Monitor SFTP access by checking SSH logs:
sudo tail -f /var/log/auth.log | grep fileupload_userTroubleshooting Common Issues
Connection Refused
- Check if SSH service is running:
sudo systemctl status ssh - Verify the port is open:
sudo ufw statusorsudo iptables -L
Permission Denied
- Verify directory ownership and permissions
- Check that the chroot directory is owned by root
- Ensure the private key has correct permissions (600)
User Can't Write Files
- Confirm the upload directory is owned by the SFTP user
- Check that the user has write permissions on the target directory
Authentication Failures
- Verify the public key is correctly formatted in authorized_keys
- Check SSH logs for specific error messages
- Ensure the authorized_keys file has correct permissions (600)
Advanced Configuration Options
Multiple Upload Directories
You can create multiple subdirectories for different purposes:
sudo mkdir -p /var/sftp_files/{incoming,processed,archived}
sudo chown fileupload_user:fileupload_user /var/sftp_files/{incoming,processed,archived}Bandwidth Limiting
Limit bandwidth usage by adding to the Match block:
Match User fileupload_user
ChrootDirectory /var/sftp_files
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
PasswordAuthentication no
MaxStartups 2
MaxAuthTries 3Conclusion
Setting up a secure SFTP user with restricted access provides a robust solution for file transfers while maintaining system security. The combination of key-based authentication, chroot jail, and proper directory permissions ensures that users can only access their designated areas.
Remember to regularly review your SFTP configurations, monitor access logs, and keep your SSH service updated to maintain security. This setup provides a solid foundation that can be adapted for various business requirements while keeping your server secure.
Quick Reference Commands
# Create user
sudo useradd -m -s /bin/false fileupload_user
# Set up directories
sudo mkdir -p /var/sftp_files/uploads
sudo chown root:root /var/sftp_files
sudo chown fileupload_user:fileupload_user /var/sftp_files/uploads
# Set up SSH keys
sudo mkdir -p /home/fileupload_user/.ssh
sudo chmod 700 /home/fileupload_user/.ssh
sudo touch /home/fileupload_user/.ssh/authorized_keys
sudo chmod 600 /home/fileupload_user/.ssh/authorized_keys
# Connect
sftp -i private_key fileupload_user@server_ipThis configuration provides a secure, restricted SFTP environment perfect for business file transfer needs.