Skip to content

Instantly share code, notes, and snippets.

@edheltzel
Last active January 15, 2023 20:14
Show Gist options
  • Save edheltzel/18f19e6eb6ada1286217 to your computer and use it in GitHub Desktop.
Save edheltzel/18f19e6eb6ada1286217 to your computer and use it in GitHub Desktop.
Steps to create a new SSH user and SFTP user

How to add a SFTP user to your VM managed by ServerPilot control panel using Ubuntu 14.04

I am not a security expert, so take it for what its worth.

OpenSSH has this ability built in, few people just seem to use the feature. Below is what works for me, but if you have a better way please share the uninformed.

The Steps:

  1. First create a new app inside of the SP control panel
  2. Now, decide what direcoty you want to put the users directory; either <app_name> or <app_name>/public. This will keep trolls at bay.
    • NOTE: The entire path MUST be owned by root.
  3. Update your directory PATH to root:
sudo chown root:root /srv
sudo chown root:root /srv/users
sudo chown root:root /srv/users/serverpilot
sudo chown root:root /srv/users/serverpilot/apps
sudo chown root:root /srv/users/serverpilot/apps/<app_anme>
  • 4. Create the new user account:
sudo adduser --home /srv/users/serverpilot/apps/<app_name> <new_sftp_user>

Follow the prompt and note that this will create a user and group with the name you supplied.

  • 5. Create a new group that has only SFTP access (no SSH access)
sudo groupadd <new_sftp_group>
  • 6. Add the new user to the new group and change ownership of their home directory to root
sudo usermod -a -G <new_sftp_user> <new_sftp_user>
sudo usermod -a -G <new_sftp_group> <new_sftp_user>
sudo chown root:root /srv/users/serverpilot/apps/<app_name>

Now that the user is all setup and has the correct permission, we need to configure OpenSSH.

  • 7. Configure the internal sftp server, by editing the sshd_config file
sudo vim /etc/ssh/sshd_config

If you don't use vim the replace with whatever editor - ie: nano

  • 8. Search for Subsystem (I like to duplicate the line and comment out the original)

    • Add the following:

      # Subsystem sftp /usr/lib/openssh/sftp-server
      Subsystem sftp internal-sftp
  • 9. Set up the chroot environment - (You should still have the file open)

    • add to the very BOTTOM of the sshd_config
    Match Group <new_sftp_group>
        ChrootDirectory %h
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
    • It's important that Match Group <new_sftp_group> is the same group you created earlier.
  • 10. Save and restart the ssh server

    # restart SSH
    sudo service ssh restart 

That's all there is to it.

So if you want to test. You'll need to use an FTP client that supports SFTP.

I should mention that you'll need to do Steps 1 - 6 each time you add another SFTP user.

How to add an SSH user to your VM manged by ServerPilot control panel using Ubuntu 14.04

But in theory will work for VMs in general ie: DigitalOcean or AWS instance

Also NOTE: I am not a security expert, so take it for what its worth.

There seems to be some confusion regarding what gist does regarding permissions - Which you can see in the comments, and I can understannd why some are confused based on the nature of it all. So Here is a tutorial on adding a new SSH user to your VM. Note that any new user using this method will have all the same permissions that the serverpilot user does, so don't go crazy adding users. Add the ones you trust.


So a good example of a use case would be - you have a VM that has a few projects on it. There is a new developer on your team -- then follow the steps below.


The Steps:

  1. Add new user (you might need to use sudo)

    useradd <new_user> 
  2. Follow on screen prompts - this will allow SSH with the password set from the prompts (If there are no prompts just move on to Step 3 You will reset the password in the last step

  3. Update user's home directory to ServerPilots apps direcotry OR vim /etc/passwd to change the new users path - This will be the directory where they will arrive when connecting with SSH

    usermod -d /srv/users/serverpilot/apps <new_user>  
  4. Add the user to the ServerPilot Group

    usermod -a -G serverpilot <new_user>
  5. Check permissions of the apps directory

    ls -ld /srv/users/serverpilot/apps/ 

The output should look like drwxr-xr-x 2 root serverpilot 4096 Jan 27 09:08 /srv/users/serverpilot/apps/

  1. Add read write execute permission to ServerPilot Group

    chown -vR :serverpilot /srv/users/serverpilot/apps/ 

This changed ownership of /srv/users/serverpilot/apps/ from root:root to :serverpilot

  1. Grant write permission to the group owner

    chmod -vR g+w /srv/users/serverpilot/apps/ 

This changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)

  1. Change password of the new user (only if prompt didn't work) You may need sudo

    sudo passwd <new_user>

Some good stuff to know

List all user:

cut -d: -f1 /etc/passwd

Delete a user:

sudo userdel <user_name>

Delet a group:

sudo groupdel <group_name>
@nvzsolutions
Copy link

Hi there,

I have followed the guide but i ran into a problem.
Changing the owner of /srv/, /srv/users/ and /srv/users/serverpilot/ to root works fine, but when i change the owner of the /srv/users/serverpilot to root all my websites show File not found in the browser. I cannot detect why this is happening. any thoughts?

@kwlvarun
Copy link

kwlvarun commented Jul 6, 2018

@nvzsolutions - I am facing the same issue and ended up restoring the droplet. Did you get any resolution on that?

@Bronskiy
Copy link

Bronskiy commented Aug 5, 2018

@ginfuru - to use SSL feature for free you could use this script https://github.com/lesaff/serverpilot-letsencrypt

@Bronskiy
Copy link

Bronskiy commented Aug 5, 2018

@nvzsolutions, @kwlvarun just change it back to:

sudo chown serverpilot:serverpilot /srv
sudo chown serverpilot:serverpilot /srv/users
sudo chown serverpilot:serverpilot /srv/users/serverpilot
sudo chown serverpilot:serverpilot /srv/users/serverpilot/apps
sudo chown serverpilot:serverpilot /srv/users/serverpilot/apps/<app_anme>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment