DEV Community

Bryan
Bryan

Posted on • Originally published at devlogbook.com

SFTP Only Access on Laravel Forge Server

#watercooler

Requirements

Let's say you want to create 3 SFTP only users

  1. mainuser : manage other users' folders and files
  2. user01 : can only view/edit own folder and files
  3. user02 : can only view/edit own folder and files

Creating Users and Directories

  1. Create the 3 users

    sudo adduser mainuser
sudo adduser user01
sudo adduser user02

  2. Create folders for user01 and user02

    sudo mkdir -p /var/sftp/user01/uploads
sudo mkdir -p /var/sftp/user02/uploads

  3. Give root write permissions to the same directory, and give other users only read and execute rights

    sudo chmod 755 /var/sftp/user01
sudo chmod 755 /var/sftp/user02

  4. Change the ownership for the uploads directory to the user you just created

    sudo chown user01:user01 /var/sftp/user01/uploads
sudo chown user02:user02 /var/sftp/user02/uploads

  5. Change ownership to mainuser to view all user folders

    sudo chown root:mainuser /var/sftp

Restricting Access to Directory

Note 1: We are creating a new sshd file because it would be cleaner and /etc/ssh/sshd_config automatically includes .conf files in /etc/ssh/sshd_config.d/

Note 2: user01/user02 will default to its own folder, but cannot create folders or files outside the uploads folder

  1. Create mainuser sshd config file

    sudo nano /etc/ssh/sshd_config.d/mainuser.conf

  2. Add to the newly created mainuser conf file

    Match User mainuser
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp/
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

  3. Create user01 sshd config file

    sudo nano /etc/ssh/sshd_config.d/user01.conf

  4. Add to the newly created user01 conf file

    Match User user01
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp/user01
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

  5. Create user02 sshd config file

    sudo nano /etc/ssh/sshd_config.d/user02.conf

  6. Add to the newly created user02 conf file

    Match User user02
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp/user02
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

  7. Restart sshd service

    sudo systemctl restart sshd

Resource

https://www.digitalocean.com/community/tutorials/how-to-enable-sftp-without-shell-access-on-ubuntu-20-04

Top comments (0)