Steps to create a new SSH user and SFTP user

ADD_SFTP_User.md

How to add a SFTP user to your VM managed by ServerPilot control panel using Ubuntu 14.04

I am not a security expert, so take it for what its worth.

OpenSSH has this ability built in, few people just seem to use the feature. Below is what works for me, but if you have a better way please share the uninformed.

The Steps:

1. First create a new app inside of the SP control panel
2. Now, decide what direcoty you want to put the users directory; either <app_name> or <app_name>/public. This will keep trolls at bay.
   • NOTE: The entire path MUST be owned by root.
3. Update your directory PATH to root:

sudo chown root:root /srv
sudo chown root:root /srv/users
sudo chown root:root /srv/users/serverpilot
sudo chown root:root /srv/users/serverpilot/apps
sudo chown root:root /srv/users/serverpilot/apps/<app_anme>

• 4. Create the new user account:

sudo adduser --home /srv/users/serverpilot/apps/<app_name> <new_sftp_user>

Follow the prompt and note that this will create a user and group with the name you supplied.

• 5. Create a new group that has only SFTP access (no SSH access)

sudo groupadd <new_sftp_group>

• 6. Add the new user to the new group and change ownership of their home directory to root

sudo usermod -a -G <new_sftp_user> <new_sftp_user>
sudo usermod -a -G <new_sftp_group> <new_sftp_user>
sudo chown root:root /srv/users/serverpilot/apps/<app_name>

Now that the user is all setup and has the correct permission, we need to configure OpenSSH.

• 7. Configure the internal sftp server, by editing the sshd_config file

sudo vim /etc/ssh/sshd_config

If you don't use vim the replace with whatever editor - ie: nano

• 8. Search for Subsystem (I like to duplicate the line and comment out the original)

  • Add the following:

    # Subsystem sftp /usr/lib/openssh/sftp-server
    Subsystem sftp internal-sftp

• 9. Set up the chroot environment - (You should still have the file open)

  • add to the very BOTTOM of the sshd_config

  Match Group <new_sftp_group>
      ChrootDirectory %h
      X11Forwarding no
      AllowTcpForwarding no
      ForceCommand internal-sftp

  • It's important that Match Group <new_sftp_group> is the same group you created earlier.

• 10. Save and restart the ssh server

  # restart SSH
  sudo service ssh restart 

That's all there is to it.

So if you want to test. You'll need to use an FTP client that supports SFTP.

I should mention that you'll need to do Steps 1 - 6 each time you add another SFTP user.

ADD_SSH_User.md

How to add an SSH user to your VM manged by ServerPilot control panel using Ubuntu 14.04

But in theory will work for VMs in general ie: DigitalOcean or AWS instance

Also NOTE: I am not a security expert, so take it for what its worth.

There seems to be some confusion regarding what gist does regarding permissions - Which you can see in the comments, and I can understannd why some are confused based on the nature of it all. So Here is a tutorial on adding a new SSH user to your VM. Note that any new user using this method will have all the same permissions that the serverpilot user does, so don't go crazy adding users. Add the ones you trust.

---

So a good example of a use case would be - you have a VM that has a few projects on it. There is a new developer on your team -- then follow the steps below.

---

The Steps:

1. Add new user (you might need to use sudo)

   useradd <new_user> 

2. Follow on screen prompts - this will allow SSH with the password set from the prompts (If there are no prompts just move on to Step 3 You will reset the password in the last step

3. Update user's home directory to ServerPilots apps direcotry OR vim /etc/passwd to change the new users path - This will be the directory where they will arrive when connecting with SSH

   usermod -d /srv/users/serverpilot/apps <new_user>  

4. Add the user to the ServerPilot Group

   usermod -a -G serverpilot <new_user>

5. Check permissions of the apps directory

   ls -ld /srv/users/serverpilot/apps/ 

The output should look like drwxr-xr-x 2 root serverpilot 4096 Jan 27 09:08 /srv/users/serverpilot/apps/

6. Add read write execute permission to ServerPilot Group

   chown -vR :serverpilot /srv/users/serverpilot/apps/ 

This changed ownership of /srv/users/serverpilot/apps/ from root:root to :serverpilot

7. Grant write permission to the group owner

   chmod -vR g+w /srv/users/serverpilot/apps/ 

This changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)

8. Change password of the new user (only if prompt didn't work) You may need sudo

   sudo passwd <new_user>

Some good stuff to know

List all user:

cut -d: -f1 /etc/passwd

Delete a user:

sudo userdel <user_name>

Delet a group:

sudo groupdel <group_name>

Also the user would be able to escalate and view and download everything down to the root which normally is not happening with a normal SP system user (except in 14.04 where the SP system user can get into the /etc/nginx-sp/vhost.d if he guess we're using ServerPilot).
Not good :(

Hi there,

I have followed the guide but i ran into a problem.
Changing the owner of /srv/, /srv/users/ and /srv/users/serverpilot/ to root works fine, but when i change the owner of the /srv/users/serverpilot to root all my websites show File not found in the browser. I cannot detect why this is happening. any thoughts?

@nvzsolutions - I am facing the same issue and ended up restoring the droplet. Did you get any resolution on that?

@ginfuru - to use SSL feature for free you could use this script https://github.com/lesaff/serverpilot-letsencrypt

@nvzsolutions, @kwlvarun just change it back to:

sudo chown serverpilot:serverpilot /srv
sudo chown serverpilot:serverpilot /srv/users
sudo chown serverpilot:serverpilot /srv/users/serverpilot
sudo chown serverpilot:serverpilot /srv/users/serverpilot/apps
sudo chown serverpilot:serverpilot /srv/users/serverpilot/apps/<app_anme>