Create an SFTP user

Introduction

This guide covers how to create a user for use with SFTP.

Update SSH Configuration

First, the SSH configuration will need to be updated.

Edit the /etc/ssh/sshd_config file. For example, using nano:

sudo nano /etc/ssh/sshd_config

Locate the following line:

Subsystem sftp /usr/lib/openssh/sftp-server

Replace it with:

Subsystem sftp internal-sftp

Then reload the SSH server:

sudo systemctl reload ssh

Create the User

Create a user. In this guide we will use the username sftpuser, but you may use any valid username.

sudo adduser sftpuser

Set the user's password:

sudo passwd sftpuser

Change the user's shell so that they can only use SFTP and not a normal SSH shell:

usermod -s /usr/sbin/nologin sftpuser

By default, the user will only have access to their home directory.

Mounting a directory

Symlinks do not work within SFTP. To mount a directory to the SFTP user's home directory, use the bind command. For example:

mount -o bind /mnt/persistent-data/jrc-data/www/DOMAIN.COM/live/sftpdirectory /home/sftpuser/sftpdirectory/

The above command will bind /mnt/persistent-data/jrc-data/www/DOMAIN.COM/live/sftpdirectory/ to /home/sftpuser/sftpdirectory/ so that the SFTP user can access it.

This mount will not persist across reboots. To persist the mount, create a script. For example, to edit the script with nano:

sudo nano /mnt/jrc-comms/hooks/boot.d/50-your-hook-name

Create the contents:

#!/bin/bash

set -e

if ! mountpoint -q /destination; then
    mount --bind /source /destination
fi

Replace /source and /destination with the source directory you want to mount and the destination directory you want to mount it to. This script will run on boot to mount the directory.

Make the script executable or it will not be able to run on boot:

sudo chmod +x /mnt/jrc-comms/hooks/boot.d/50-your-hook-name

WARNING: Do not put bind mounts in /etc/fstab. This will prevent the server from booting properly.