Linux · Server

Implement a SFTP Service for Ubuntu/Debian With a Chroot’ed, Isolated File Directory.

In this entry I will explain how to install and setup a SFTP service in a Ubuntu or Debian Linux server. SFTP (Secure File Transfer Protocol) is an extension of the SSH (Secure SHell protocol) which is commonly used for secure remote access into systems.

Despite its name SFTP is not an extension to the 1985 FTP (File Transfer Protocol – RFC 959) which was in common use until the late 1990s to share files online. FTP usage has fallen out of favor for Internet use in the 2000’s due to the protocol’s inherent insecurities in addition to competition from newer protocol such as the bandwidth friendly BitTorrent protocol. The most glaring insecurity with FTP is that it requires log-in user names and passwords to be communicated between the client and the server using unencrypted plain-text.

Fortunately in recent years many of the more popular FTP clients have implemented complete support for SFTP making the end-user transition from insecure to secure transfers seamless. Older, now redundant stop gaps for secure FTP such as FTPS/FTP-SSL which is now referred to as FTP with TLS (RFC 4217) were confusing to use and difficult to setup correctly.

It is now gotten to the point where people probably would not know the difference between browsing a secure SFTP site to browsing an open, insecure FTP site. Personally my favourite FTP/SFTP client is the multi-platform, open sourced FileZilla but there are many others such as SmartFTP, WinSCP or FireFTP (for Firefox).

Okay to the task at hand we will do everything in CLI (command line interface) aka shell mode.

First make sure your repository is up to date.

sudo apt-get update

Now install OpenSSH server software.

sudo apt-get install openssh-server

We then create a user group for SFTP access, I will be calling it sftponly. For security I think it is best practice not to allow accounts with SFTP access additional admission to the server using secure shell (SSH) remote log in.

sudo groupadd sftponly

Run the following to display your new group. It will be listed as the last entry.

cat /etc/group

Cat allows you to quickly display a text file while /etc/group is the file that defines the groups on the server. You should see something like this.

Output of cat /etc/group.

Each line is an individual group, you can see the name, the password which is set to x which means none, the numeric group id and users who are associated with the group. For sftponly there are currently no assigned users.

Take note of the group id, in this screenshot it is the value 1001.

We now add a new user that we will use exclusively for SFTP access.

sudo useradd [user name] -d / -g [sftponly group id] -M -N -o -u [sftponly group id]
sudo passwd [user name]

The arguments we used.

  • -d is the user home directory which needs to be set to / (root).
  • -g is the user group id to assign which in our example needs to be assigned to sftponly.
  • -M stops the useradd command creating a home directory.
  • -N useradd by default creates a group with the same name as the new user, this disables that behaviour.
  • -u is the user id, which in our case needs to be the same id value as sftponly.
  • -o allows duplicate, non-unique user ids.
  • The passwd command sets an encrypted user password.

Add a user of your choice, I will use ben_example. To display your users.

cat /etc/passwd
Output cat /etc/passwd.

We now backup and edit the SSH Daemon configuration file.

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo nano +76 /etc/ssh/sshd_config

The line

Subsystem sftp /usr/lib/openssh/sftp-server

Needs to be replaced with

Subsystem sftp internal-sftp

Now go to the end of the document, the key combination Alt / should take you there or you could simply use the Page Down key. After UsePAM Yes add the following lines to configure our sftponly group permissions and settings. The ChrootDirectory setting will confine all sftponly users to this directory. Otherwise sftponly will have access to your server root which you do not want. /var/www is often the default Debian/Ubuntu location for web servers to place their assets such as HTML, CSS files and images. Though you can use a different directory for ChrootDirectory such as /var/sftp.

Match group sftponly
ChrootDirectory /var/www
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Once finished use the key combination Ctrl O to save and then Ctrl X exit.

Output of sudo nano /etc/ssh/sshd_config.

Now make sure the directory you assigned to ChrootDirectory actually exists and if it does not then create it. Also the directory group and owner need to be root which it should by default if you use the command.

sudo mkdir /var/www
Output of SFTP root directory.
A reminder, the directory and its parent directories you assign to ChrootDirectory MUST be owned by root and assigned the group root. Otherwise SFTP clients will not be able to upload or modify files and directories.

Now for later testing create the first of 3 directories within your ChrootDirectory.

cd /var/www
sudo mkdir test_readonly
sudo chmod 755 test_readonly

If you do not understand the chmod command shown we will quickly go through it but it is beyond the scope of this article. Change mode (chmod) parameter 755 is a permission code in octal notation. You break it up into 3 parts, 7/5/5.

  1. 1st part is root permission for this directory.
  2. 2nd is group permission.
  3. 3rd is everyone else.

The value of the individual part grants permissions for its user. A value of 0 grants no permission, a value of 1 grants execute permissions, 2 grants write and 4 grants read. These values can be summed to create multiple permissions. So 1 (execute) + 2 (write) + 4 (read) equals 7 which grants execute, write and read aka total access. chmod 755 test_readonly means the root has total access. While users associated with the directory’s group and everyone else only have execute and read access, 4 (read) + 1 (execute) = 5. More can be read about Linux permissions here

sudo mkdir test_readwrite
sudo chown root:sftponly test_readwrite
sudo chmod 775 test_readwrite

The above commands creates a test_readwrite directory whose owner is root and group is sftponly. Both root and sftponly members have full access permissions within test_readwrite, which allows the creation and deletion of files and sub-directories.

To remove browsing access to a directory you remove the read permission as shown below. 1 (execute) + 2 (write) = 3, execute and write access but critically no read which leaves the other two permissions redundant.

sudo mkdir test_noaccess
sudo chmod 733 test_noaccess

Restart the SSH server.

sudo /etc/init.d/ssh restart

If you don’t know your server IP address.

ip -o -f inet addr
Discover your server’s IP address.

lo is your local host, eth0 is your Ethernet cable connected address, wlan0 is probably wireless.

Connect to your SSH server using an SFTP client such as FileZilla. Make sure you use the correct IP address and port number which by default is 22.

Filezilla site manager connecting to my example SFTP server.

You should be connected to the directory assigned to ChRootDirectory (var/www) in your SSHD configuration and that doubles as the SFTP client root folder. Also listed should be the test_readonly, test_readwrite and test_noaccess directories that we created earlier. Play or navigate around, hopefully you can upload files and create/delete directories within test_readwrite. While test_noaccess should be displayed but limited to browsing or download access.

Browsing your SFTP root in Filezilla.

In the screen capture below we have Filezilla’s message log with 3 sections highlighted. The orange section shows my failed attempt at accessing test_noaccess. The purple is the successful attempt at accessing test_readonly, but a failure in creating a New directory sub-folder within. While the green section shows access into test_readwrite as well as being able to create a New directory sub-folder and its subsequent removal.

Colour-coded message log from browsing our SFTP service in FileZilla.

Congratulations you now have a working example of a SFTP service running on your server. It should be mentioned that a number of these instructions were originally learnt from the blog post SFTP on Ubuntu and Debian in 9 easy steps and the reader comments.

Learn more Ubuntu



86 thoughts on “Implement a SFTP Service for Ubuntu/Debian With a Chroot’ed, Isolated File Directory.

  1. I am having a problem. I am running Ubuntu 11.04. I have double checked all the steps and they are set-up properly. When I try to use Filezilla to connect with the user I made all I get is:
    Status: Connecting to…
    Response: fzSftp started
    Command: open “dev@” 22
    Command: Trust new Hostkey: Once
    Command: Pass: ***
    Error: Connection reset by peer
    Error: Could not connect to server
    Status: Waiting to retry…

    Although I can still connect with my main user which is “Icedd”
    Through both nautilus and FileZilla.

    Neither work for my created user “Dev”

    When I try to use sftp://dev@server
    all i get is:
    Its promps for my password then it says

    Could not display “sftp://dev@server/”.
    Error: ssh program unexpectedly exited
    Please select another viewer and try again.

    Any ideas?

  2. By the sounds of it you have user permission, user name or user access conflicts.

    You need to create a group unique for sftp use ie: sftponly.
    You then also need to assign the sftponly group membership to the SFTP root and recursive directory that will host your files.
    You also need to make sure that this root directory and it sub directories have at least read & execute permissions for the group. ie at least chmod 550 /var/sftp/
    You also need to make sure any users you create to use for SFTP are members of sftponly.

  3. Hi thank you for your reply. This is what I have:

    In the sshd_config file I have: ChrootDirectory /var/www/dev
    My sftp user is dev.
    My sftp group IS sftponly
    dev IS a member of sftponly
    The persmissions of /var/www/dev are:
    owner: dev
    group: sftponly
    and i ran: sudo chmod -R 777 /var/www/dev

    I still get the same error.

    Here is a link to my sshd_config:

    Any other thoughts perhaps? Thanks in adv..

  4. Dev is a pretty generic username and it might be causing a conflict, maybe you may want to change it and the directory ownerships to dev_sftp or something more distinct and see if that works? Otherwise …

    Is the sftponly group similar this listing below when you run cat /etc/group?

    And does your dev user record match the id number and look similar to the listing below when you run cat /etc/passwd?

  5. I mean:
    With any other directory using exactly the same permissions, I get:

    debug1: Authentication succeeded (password).
    debug1: channel 0: new [client-session]
    debug1: Entering interactive session.
    debug1: channel 0: free: client-session, nchannels 1
    debug1: fd 0 clearing O_NONBLOCK
    Read from remote host localhost: Connection reset by peer
    debug1: Transferred: stdin 0, stdout 0, stderr 59 bytes in 0.0 seconds
    debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 33314.8
    debug1: Exit status -1
    Couldn’t read packet: Connection reset by peer

    Only with /var/www directory it works well.

    1. sudo nano /etc/ssh/sshd_config

      Match group sftponly
      ChrootDirectory /var/www
      X11Forwarding no
      AllowTcpForwarding no
      ForceCommand internal-sftp

  6. Thanks for answering.
    I’m sure that those are the lines that I already have in my sshd_config file. And so far so good. At this point everything works like a charm.
    The trouble starts when trying to use a directory other than /var/www. In my case /home/[another user]/jail, because I need that [another user] (member of sftponly group) make the administration of /home/[another user]/jail
    I followed every step of your tutorial, but I get that “… Connection reset by peer” error

  7. I solved what I need, but I’ve curiosity about this.
    The problem appears to be with subdirectories of /home only. I created a subdirectory of /opt and everything worked fine. Here are the comparison of the debug lines.

    using /home/not_working: using /opt/working:
    debug1: Authentication succeeded (password). Authentication succeeded (password).
    debug1: channel 0: new [client-session] channel 0: new [client-session]
    debug1: Entering interactive session. Entering interactive session.
    debug1: channel 0: free: client-session, nchannels 1 Sending environment.
    debug1: fd 0 clearing O_NONBLOCK Sending env LANG = es_ES.UTF-8
    Read from remote host localhost: Connection reset by peer sftp>
    debug1: Transferred: stdin 0, stdout 0, stderr 59 bytes in 0.0 seconds sftp>
    debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 39414.0 sftp>
    debug1: Exit status -1 sftp>
    Couldn’t read packet: Connection reset by peer sftp>

  8. Sorry. TABs not working in the post. Here are the no-tabs version 🙂 of the comparison

    using /home/not_working:____________________________________ using /opt/working:
    debug1: Authentication succeeded (password)____________________Authentication succeeded (password).
    debug1: channel 0: new [client-session]_________________________channel 0: new [client-session]
    debug1: Entering interactive session____________________________Entering interactive session.
    debug1: channel 0: free: client-session, nchannels 1_______________Sending environment.
    debug1: fd 0 clearing O_NONBLOCK___________________________Sending env LANG = es_ES.UTF-8
    Read from remote host localhost: Connection reset by peer__________sftp>
    debug1: Transferred: stdin 0, stdout 0, stderr 59 bytes in 0.0 seconds__sftp>
    debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 39414.0_______sftp>
    debug1: Exit status -1________________________________________sftp>
    Couldn’t read packet: Connection reset by peer____________________sftp>

    1. A quick read of the manual page seems to reveal an answer.
      or type man sshd_config

      Specifies a path to chroot(2) to after authentication. This
      path, and all its components, must be root-owned directories that
      are not writable by any other user or group

      The path may contain the following tokens that are expanded at
      runtime once the connecting user has been authenticated: %% is
      replaced by a literal ‘%’, %h is replaced by the home directory
      of the user being authenticated, and %u is replaced by the user-
      name of that user.

      The ChrootDirectory must contain the necessary files and directo-
      ries to support the users’ session. For an interactive session
      this requires at least a shell, typically sh(1), and basic /dev
      nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4),
      arandom(4) and tty(4) devices. For file transfer sessions using
      “sftp”, no additional configuration of the environment is neces-
      sary if the in-process sftp server is used (see “internal-sftp”
      will force the use of an in-process sftp server that requires no
      support files when used with ChrootDirectory. Subsystem for

      The default is not to chroot(2).

  9. post was very usefull. But i did as you posted above but at the client side clent console shows all folders in ” / ” folder.what i have o now to slove this

    1. I suggest trying again and make sure you follow each instruction. If you are serving root “/” as the base FTP directory there is something wrong with your set-up. You are not chroot to a sub-directory.

      1. thank you very much i have completed sftp configuration.but i have small doubt can i integrate ads users to ubuntu to login sftp server

      2. Hi Sir,

        I have a requirement for an HTTPS file transfer mechanism and am currently looking for software to do this function. I want the software to be ideally meet the following requirements:

        – free/open source
        – run as a service on either windows or Linux (preferably the latter)
        – allow people to send files to a other people
        – must be secure and use HTTPS through a standard web browser
        – be very simple for clients to use (somebody should be able to pretty much go to the web page, select the recipient, choose a file and click upload)

        The current mechanism accepts the file, and then emails the recipient with the https link to download it.

        Surely somebody must have had this requirement before for simple quick document exchanges from outside the company to inside or vice versa that don’t use fully blown sftp servers or the like which requires both sides IT departments getting involved to set up both ends.

        Does anyone have any recommendations for server software on either windows or Linux which can do this?

  10. Thank you. This worked very well. I have a small query. Instead of /var/www I want to use /home/username. This is because I have a separate home partition and is much bigger in size than / partion. I tried to change in sss_config file, but did not had any success.

  11. This is a great post!

    I wanted to add that if you get permission denied errors trying to use a password instead of an SSH key, double check this config option in sshd_config:

    PasswordAuthentication no

    I also uncommented this one

    AuthorizedKeysFile %h/.ssh/authorized_keys

    Set it to yes, save it, restart ssh and you should be good.

  12. How do you remove said user? I created this user and then realized I wanted a different name so I just created another account however this old one is still kicking around… When I try to remove account via sudo userdel it says he is already logged on … I goto pkill -KILL -u and it continues to next line as if it killed it… Then when I try to re userdel it says he is still logged on… Any help or suggestions on what I am missing would be VERY helpfull!!!

    1. Did you stop the SSH service and then try to delete the user account?

      sudo service ssh stop or sudo /etc/init.d/ssh stop

      Otherwise if you can not do that because you’re accessing the machine remotely try

      snice -u [user name]

      To see if the user is connected to your machine and if so run the following to disconnect it.

      skill -KILL -u [user name]

  13. Followed everything on this tutorial almost exactly but I get this in filezilla

    Command: open “boxsftp@x.x.x.x” 22
    Command: Pass: ******
    Error: Network error: Software caused connection abort
    Error: Could not connect to server
    Status: Waiting to retry…
    Status: Connecting to x.x.x.x…
    Response: fzSftp started
    Command: open “boxsftp@x.x.x.x” 22
    Command: Pass: ******
    Error: Network error: Software caused connection abort
    Error: Could not connect to server

    I have no idea what this could be other than a permissions issue. I am using ubuntu server 12.04

    what command can i use to see the users who have permissions to /var/www?
    If I have only done a: chmod 770 /var/www
    could that be my issue? Do I have to create more folders first?

    plz halp? 😐

    1. Sorry for the late response, I have been away from the computer for the past couple of weeks.

      If your filezilla can not connect to your server it seems it believes there is a network connection error between your computer and the server. Is your server on a local network or on a remote network? Can you connect to it using other SSH tools like PSFTP that is included in Putty?

  14. This is an awesome tutorial – i love the way you’ve walked through it. I kinda understand things a lot better from it.

    For all that I can’t seem to get it to work for me.
    Tried a couple of times as it’d be hugely helpful for me, but whenever I make the changes I get locked out from access on all my accounts so have to reset everything in the sshd_config file.

    The only thing I’ve noticed that could be messing things up is the following lines in the /etc/ssh/sshd_config file:
    UseDNS no
    AllowUsers demo

    1. What I would suggest first is using a copy of the default untouched sshd_config.

      nano +76 sshd_config

      change the line

      Subsystem sftp /usr/lib/openssh/sftp-server


      Subsystem sftp internal-sftp

      then scroll to the bottom of the file and after UsePAM yes add

      ForceCommand internal-sftp

      You should be able to use filezilla etc to log in using any account including root (so don’t do this on a live in the wild server). From there you can troubleshoot to see which of your modifications is causing a problem.

  15. Great instructions – thanks. I wonder if there is a way to implement to your method features included in mysecureshell solution. I am looking for assigning download/upload speed for a given user and generally some monitoring tools for sftp server.
    Thanks again,

  16. Fantastic!!! I switched over to Linux about 6 months ago and learned a lot from your post. Have you ever considered becoming a teacher? My little brother is downloading a movie and slowing my PC way down! 🙂

  17. hy ben…this is me from tweet

    actually I did your tutorial, and I dont understand why my sftp user still can access the root directory. ex :

    I have user ‘tamu’ on ‘sftp’ group. and here my sshd_config

    Match group sftp
    ChrootDirectory /homr/%u
    x11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

    I try to connect from filezilla under windows 7, I’ve got successful connect for user ‘tamu’, but when I try access previous directory, ‘tamu’ still can access it. is it normal or am I wrong ??


    when I try to access root directory It still possible. how can I jail the user to be in /home/tamu directory, cant access other directory outside dir /home/tamu. even it is just home user.

    please reply soon.

    1. Hi Agung you’re are not the only person who has fallen for this trap. Unfortunately you can not chain home directories using this technique. Comment #15 in this article mentions this as well.

      Specifies a path to chroot(2) to after authentication. This path, and all its components, must be root-owned directories that are not writable by any other user or group.

      User home directories do not meet this requirement.

  18. do you mean that this trick cant be done in ‘home’ directory ??
    but I’ve tried on /var/www, it seem all the same. so here my solution

    I take

    usermod -s /bin/false “user”

    after that, the user finally has jailing on the directory. but I dont know if this correct or not.

    1. A home sub-directory is owned by a local account. The requirements for a SFTP chroot directory is that it can not be writeable by any user or group other than the ‘root’ account. But the user directories in /home are always writeable by the owners. For example /home/ben is going to have read, write, execute permissions for the user and group ‘ben’, so it is not usable by SFTP chroot. If you want to set it up for SFTP chroot you need to remove the +w write permission of /home/ben for the user and group ‘ben’. But that means the local user ‘ben’ can not write or save any changes to its home directory making it useless.

      You’re better off creating a separate SFTP container directory such as /var/sftp/ben/ with root only write access and using that for SFTP hosting.

  19. Hello Ben,
    Very nice post. Thank you for providing such detail information. I have a small doubt, Can I access SFTP from browser without using a Filezilla like softwares?? And if yes, How?
    Thanking you.

    1. Hi Kishor, unfortunately browsers do not support SFTP unless you install some kind of add-on. Most web browsers only know how to deal with the FTP and HTTP/S protocols.

      I did a quick search but couldn’t find any browser add-ons for either Chrome or Firefox. Maybe you might have better luck.

      1. Hello Ben,
        Thanks for quick reply. But I got success with firefox. I am not aware much with SFTP/FTP , so I dont know I am doing right or wrong, But I got success. Your post is very useful. Thanks for such informative post.
        Thanking you.

      1. Now I understand that SFTP is SSH!. It is possible to implement security in FTP server. I`ve done that configuration and the test user cannot use FTP now. Thanks, it is a pleasure to learn.

      2. I Ben. Our SFTP is now working fine for several “jailed” providers.
        I have a beginners doubt: how do you evaluate the relative advantages between STFP and FTPS?

        1. It does depend on your needs.

          SFTP for many cases is the superior protocol. It comes built-in with Secure Shell (SSH) that most servers already run, so that is one less background daemon. SFTP is always encrypted, there is no unencrypted version of the protocol. It only requires a single accessible port (22) which is usually preconfigured for secure terminal access so I believe it is easier to configure through firewalls.

          If you have a need for FTPS because clients need to be chained to their home directories or they request support for it etc then by all means use it. But I am of the belief that less is more when it comes to servers. The more ports open and daemons running on your server, the more maintenance and configuration it requires and the higher potential for a security hole.

          The most important thing though is that you’re not running unencrypted FTP that passes along login details in human readable plain text.

    1. Hi,

      To prevent your virtual sftp users from using your ftp server in case you decided to have both sftp & ftp servers running on your system you may put your virtual users names into /etc/ftpusers file so they will be okay with entering your sftp service but their attempts to use your ftp service is going to be turned down.

      I suspect that this is what you tried to do.



      1. I Pawel.
        Our SFTP is now working fine for several “jailed” providers. I’ve added the actual FTP providers to the /etc/ftpusers and created new SFTP users. Solved.

        I have a beginners doubt: how do you evaluate the relative advantages between STFP and FTPS?
        Best regards,

  20. Thank you Ben. This is very helpful. I’m curious – why do the user ids need to match the group id for sftponly?

    1. Hi Youssef,

      That is a good question but as I wrote the article a few years ago I don’t remember off the top of my head so this may not be correct.

      But I believe the matching group/user id’s are required so SFTP can apply the correct default permissions to user created directories and user file uploads within the chroot directory.

  21. Please help me… I lock myself out!!! I’m a newbie and I make a STUPID thing!!!
    I followed the procedures of the page, but instead to create a group sftponly I gave my own username that is also the same user that I access remotely (SSH). Now I can access sftp . But I can not access SSH anymore by putty and I cannot use sudo su username. when I start putty and login with username and password, the system remains blinking and does not give me access.As sftp I access to var/www but in graphic mode with WINSCP and I do know how to give command in this folder…there is no terminal… If I could give the su sudo so I could erase the procedure… help me please.

    1. Hi Trevis, you will need to contact your hosting provider to try and get them to restore your user access. Or get them to give you the details of the root account so you can use that to login and restore your personal account access.

  22. Thanks Ben, great demonstration.
    I had 1 issue to solve : I initially configured SSH to allow connections from identified clients only, using a public Key. Then I set: PasswordAuthentication no
    As a consequence, SSH client could log in automatically, but SFTP client could not log in.
    Is there a way to require that SFTP also logs in using the client’s public key ?

    1. Hi Frédéric, thanks and I am glad to hear the article was useful.

      Unfortunately I am not an expert with public/private key authentications. The only issue I can think of would maybe be the SFTP client is not handling the public key?

  23. Great and complete article! Also easy to follow.
    I have one question..
    When I connect with filezilla, I can also cd to the parent directories, view files and download them.
    How to stop this? Tnx!

  24. I followed these steps and when I log in with test credentials, I can browse the entire server. My test user is not restricted to the ftp directory. While the user may not have write permission, it can still see everything. I need the user locked down to the ftp directory with no ability to browse anything but the contents of the one folder.
    Any ideas here?

    1. Hi Jarreau, you may need to re-read the article and confirm you followed all the steps correctly. What you’re specifically wanting to do is covered and is known as the ‘ChrootDirectory’.

  25. Hi Ben

    Awesome post thanks for helping us. I am having an issue, I follow the tutorial everything turns ok but when I try to connect via SFTP my FileZilla just show me the following message

    Connecting to (My IP)
    Response: fzSftp started, protocol_version=8
    Command: open “myuser@myIP” 22

    Error: Network error: Connection timed out
    Error: Could not connect to server

    Any idea of what I am doing wrong.

    Thanks a lot

  26. Hi Ben

    Thank you for the tutorial it was concise. I have a question and an issue though. First the issue. I can connect but when I go to transfer files the message I get is: Couldn’t get remote handle. Make sure you have permission to modify this file.

    The permissions I have are
    drwxrwxr-x 3 root sftponly 4096 Jul 3 10:37

    Match group sftponly
    ChrootDirectory /srv
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

    cat /etc/passwd

    cat /etc/group

    Also at the moment a user can see all websites as the Chroot is set to /srv how would I limit each user to just to their own website…? so instead of seeing /srv user1 just sees /srv/website1 and user2 sees /srv/website2 respectively.


    1. So setting the permissions to 777 allows me to upload files… but obviously this is a temporary fix to allow me to get the site up. I’ve been searching online and can’t seem to find a solution… Could you shed any light on the situation?

    2. Hi James,

      Is the /srv directory root:root? The ChrootDirectory has to be owned and assigned root plus it cannot have group write access.

  27. I did this and this chown root:sftponly -R * to all the websites files as the actual html files are stored in /srv/

    But I get this error popping up everytime I log in with sftp using using coda 2. In the site preferences the remote folder is /. So I’m not sure why this is happening.

    Could not change directory to “/htdocs/”. File not found.

    More importantly though is there anyway to do this: Also at the moment a user can see all websites as the Chroot is set to /srv how would I limit each user to just to their own website…? so instead of seeing /srv user1 just sees /srv/website1 and user2 sees /srv/website2 respectively.

    1. Hi James, unfortunately I am not tech support. I suggest creating a test case using /var/www as Chroot & following the article exactly. If it works as expected then you can compare its permissions to /srv. If it too fails, then at least you know something else on the system is conflicting with ssh or its configuration is wrong.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s