A simple secure SFTP setup.
New users have disabled bash and similar shells, are allowed to authenticate with password, and are jailed in their home directory.
The initial setup to prepare for an easy user management.
Disable password authentication for all users with an exception for sftp-only group.
- Create new groups
sftp-adminandsftp-client:sudo groupadd sftp-admin sudo groupadd sftp-client - Modify the SSH configuration in
/etc/ssh/sshd_configfile:AddressFamily inet PermitRootLogin no PasswordAuthentication no ... Match Group sftp-admin PasswordAuthentication yes Match Group sftp-client PasswordAuthentication yes - Restart the process to apply changes:
sudo systemctl restart ssh
Setup general connection limitations and default setting for new SFTP users.
- Modify the MySecureShell configuration in
/etc/ssh/sftp_configfile:<Default> GlobalDownload 0 Download 0 LimitConnection 100 LimitConnectionByUser 10 LimitConnectionByIP 10 CreateHome true Home /var/www/$USER </Default> <Group sftp-admin> Home /var/www </Group> <Group sftp-client> Home /var/www/$USER </Group> - Restart the process to apply changes:
sudo systemctl restart mysecureshell
Users bellow have custom SFTP shell and therefore no bash or similar shells.
Based on previous configuration, this user will have access in all directories.
Note: It is advised to NOT use password authentication for admin users.
- Create new user
NEW-ADMIN-USER:sudo sftp-user create NEW-ADMIN-USER - Add user to
sftp-onlygroup:sudo usermod -a -G sftp-admin NEW-ADMIN-USER
Based on previous configuration, this user will be jailed in /var/www/NEW-CLIENT-USER directory.
- Create new user
NEW-CLIENT-USER:sudo sftp-user create NEW-CLIENT-USER - Add user to
sftp-onlygroup:sudo usermod -a -G sftp-client NEW-CLIENT-USER
- List all users created and managed with MySecureShell:
sudo sftp-user list
- Delete user
USERNAMEcreated and managed with MySecureShell:sudo sftp-user delete USERNAME