SFTP Only Access on Laravel Forge Server

·

2 min read

Requirements

Let's say you want to create 3 SFTP only users

  1. mainuser : manage other users' folders and files

  2. user01 : can only view/edit own folder and files

  3. user02 : can only view/edit own folder and files

Creating Users and Directories

  1. Create the 3 users

    sudo adduser mainuser
    sudo adduser user01
    sudo adduser user02
    
  2. Create folders for user01 and user02

    sudo mkdir -p /var/sftp/user01/uploads
    sudo mkdir -p /var/sftp/user02/uploads
    
  3. Give root write permissions to the same directory, and give other users only read and execute rights

    sudo chmod 755 /var/sftp/user01
    sudo chmod 755 /var/sftp/user02
    
  4. Change the ownership for the uploads directory to the user you just created

    sudo chown user01:user01 /var/sftp/user01/uploads
    sudo chown user02:user02 /var/sftp/user02/uploads
    
  5. Change ownership to mainuser to view all user folders

    sudo chown root:mainuser /var/sftp
    

Restricting Access to Directory

Note 1: We are creating a new sshd file because it would be cleaner and /etc/ssh/sshd_config automatically includes .conf files in /etc/ssh/sshd_config.d/

Note 2: user01/user02 will default to its own folder, but cannot create folders or files outside the uploads folder

  1. Create mainuser sshd config file

    sudo nano /etc/ssh/sshd_config.d/mainuser.conf
    
  2. Add to the newly created mainuser conf file

    Match User mainuser
    ForceCommand internal-sftp
    PasswordAuthentication yes
    ChrootDirectory /var/sftp/
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no
    
  3. Create user01 sshd config file

    sudo nano /etc/ssh/sshd_config.d/user01.conf
    
  4. Add to the newly created user01 conf file

    Match User user01
    ForceCommand internal-sftp
    PasswordAuthentication yes
    ChrootDirectory /var/sftp/user01
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no
    
  5. Create user02 sshd config file

    sudo nano /etc/ssh/sshd_config.d/user02.conf
    
  6. Add to the newly created user02 conf file

    Match User user02
    ForceCommand internal-sftp
    PasswordAuthentication yes
    ChrootDirectory /var/sftp/user02
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no
    
  7. Restart sshd service

    sudo systemctl restart sshd
    

Resource

digitalocean.com/community/tutorials/how-to..