SFTP Only Access on Laravel Forge Server
Requirements
Let's say you want to create 3 SFTP only users
mainuser : manage other users' folders and files
user01 : can only view/edit own folder and files
user02 : can only view/edit own folder and files
Creating Users and Directories
Create the 3 users
sudo adduser mainuser sudo adduser user01 sudo adduser user02
Create folders for user01 and user02
sudo mkdir -p /var/sftp/user01/uploads sudo mkdir -p /var/sftp/user02/uploads
Give root write permissions to the same directory, and give other users only read and execute rights
sudo chmod 755 /var/sftp/user01 sudo chmod 755 /var/sftp/user02
Change the ownership for the uploads directory to the user you just created
sudo chown user01:user01 /var/sftp/user01/uploads sudo chown user02:user02 /var/sftp/user02/uploads
Change ownership to mainuser to view all user folders
sudo chown root:mainuser /var/sftp
Restricting Access to Directory
Note 1: We are creating a new sshd file because it would be cleaner and /etc/ssh/sshd_config
automatically includes .conf
files in /etc/ssh/sshd_config.d/
Note 2: user01/user02 will default to its own folder, but cannot create folders or files outside the uploads folder
Create mainuser sshd config file
sudo nano /etc/ssh/sshd_config.d/mainuser.conf
Add to the newly created mainuser conf file
Match User mainuser ForceCommand internal-sftp PasswordAuthentication yes ChrootDirectory /var/sftp/ PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
Create user01 sshd config file
sudo nano /etc/ssh/sshd_config.d/user01.conf
Add to the newly created user01 conf file
Match User user01 ForceCommand internal-sftp PasswordAuthentication yes ChrootDirectory /var/sftp/user01 PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
Create user02 sshd config file
sudo nano /etc/ssh/sshd_config.d/user02.conf
Add to the newly created user02 conf file
Match User user02 ForceCommand internal-sftp PasswordAuthentication yes ChrootDirectory /var/sftp/user02 PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
Restart sshd service
sudo systemctl restart sshd