I want to create an SFTP user on my Amazon Lightsail instance.
Resolution
Note: The following steps create an SFTP user with access to a chroot environment (chroot jail) with no SSH access. The SFTP user can't access the directories outside the chroot environment or directory. For this user, the chroot directory is the root directory.
Set up your SFTP group and user
-
Create a group for the SFTP users with the following command:
sudo groupadd sftp_group
Note: Replace sftp_group with your group name.
-
Create a user on the instance with a home directory with no access to the SSH login shell. To do so, run the following command:
sudo useradd -g sftp_group -m -d /home/sftp_user -s /sbin/nologin sftp_user
Note: Replace sftp_user with your username.
Set up user authentication with either password authentication or SSH key-based authentication
Password authentication
Use the following command to create a password:
sudo passwd sftp_user
SSH key-based authentication
-
To require SSH key-based authentication, create a .ssh folder in the user's home directory. Then, create an authorized_keys file:
sudo mkdir /home/sftp_user/.ssh
sudo touch /home/sftp_user/.ssh/authorized_keys
-
Add the SSH public key that you want to use to the /home/sftp_user/.ssh/authorized_keys file. For more information, see Set up SSH keys for Lightsail.
-
To change the ownership and permissions of the user's home directory, run the following commands:
sudo chown sftp_user:sftp_group /home/sftp_user/.ssh -Rsudo chown root:sftp_group /home/sftp_user/
sudo chmod 755 /home/sftp_user/
sudo chmod 700 /home/sftp_user/.ssh/
sudo chmod 600 /home/sftp_user/.ssh/authorized_keys
Note: The preceding example uses permission 755 on the /home/sftp_user directory, and then changes ownership to the root user. This user directory is used as a chroot directory.
Edit the /etc/ssh/sshd_config file
-
In the Subsystem sftp line, comment out the Subsystem sftp /usr/libexec/openssh/sftp-server line:
# Subsystem sftp /usr/libexec/openssh/sftp-server
-
Replace the preceding line with the following text:
Subsystem sftp internal-sftp
-
To limit SFTP user access, add the following text at the end of the file:
Match Group sftp_group
ChrootDirectory /home/%u
ForceCommand internal-sftp
In the preceding example, the ChrootDirectory specifies the root directory for the SFTP users. MatchGroup identifies the users in the sftp_group who use the path /home/%u as their root directory. The characters %u represent the user. ForceCommand internal-sftp forces the use of an in-process SFTP server.
-
If you use password authentication, set PasswordAuthentication in the /etc/ssh/sshd_config file to yes.
Create the chroot directories for the user
- To create a chroot directory, run the following:
sudo mkdir /home/sftp_user/uploads
Note: Replace the directory name, sftp_user, and uploads with your directory name.
- Modify ownership of the files:
sudo chown sftp_user:sftp_group /home/sftp_user/uploads
Note: Replace the directory name, sftp_user, and uploads with your directory name.
Verify your changes and restart the SSHD service
-
Verify that the directory permissions appear similar to the following example:
ls -ld /homedrwxr-xr-x 3 root root 23 Oct 6 15:17 /home
ls -ld /home/sftp_user
drwxr-xr-x 3 root sftp_group 21 Oct 6 15:17 /home/sftp_user
ls -ld /home/sftp_user/uploads/
drwxr-xr-x 2 sftp_user sftp_group 6 Oct 6 15:17 /home/sftp_user/uploads/
-
Restart the SSHD service:
sudo systemctl restart sshd
Connect to the instance with SFTP
Password authentication
Run the following:
# sftp sftp_user@example.com's password:
SSH key-based authentication
Run the following:
# sftp -i key.pem sftp_user@example.com