How do I create an SFTP user on my Lightsail instance?

Last updated: 2021-10-14

I want to create an SFTP user on my Amazon Lightsail instance. How can I do this?


Note: The following steps create an SFTP user who has access to chroot environment (chroot jail) with no SSH access. The SFTP user can't access the directories outside the chroot environment or directory. So, the chroot directory becomes the root directory for the user.

1.    Create a group for the SFTP users. The group helps manage many different SFTP users. In this example, the group name is sftp_group. You can change the name to a group name of your choice.

sudo groupadd sftp_group

2.    Create a user on the instance with a home directory. This user performs SFTP tasks only and doesn't have an SSH login shell. In the following example, replace sftp_user with a user name of your choice.

sudo useradd -g sftp_group -m -d  /home/sftp_user -s /sbin/nologin sftp_user

3.    The user can authenticate in different ways when connecting to the server through SFTP. The following example uses a password and SSH key-based authentication.

Password authentication

To require password authentication, create a password using the following command:

sudo passwd sftp_user

SSH key-based authentication

If you're using SSH key-based authentication, you need to create the SSH files for the user and then add the public key to the files. To do this:

In the home directory of the user, create a .ssh folder and an authorized_keys file:

sudo mkdir /home/sftp_user/.ssh
sudo touch /home/sftp_user/.ssh/authorized_keys

Add the SSH public key you want to use to the /home/sftp_user/.ssh/authorized_keys file. For more information, see Set up SSH for your Linux/Unix-based Lightsail instances.

Run the following commands to change the ownership and permissions of the home directory of the user:

sudo chown sftp_user:sftp_group /home/sftp_user/.ssh -R
sudo chown root:sftp_group /home/sftp_user/
sudo chmod 755 /home/sftp_user/ 
sudo chmod 700 /home/sftp_user/.ssh/
sudo chmod 600 /home/sftp_user/.ssh/authorized_keys

The preceding example uses permission 755 on the /home/sftp_user directory and changes ownership to the root user. This is because the directory is going to be used as a chroot directory. Keep in mind that all components of the pathname must be root-owned directories that aren't writable by any other user or group.

4.    Edit the /etc/ssh/sshd_config file by doing the following:

Modify the Subsystem sftp line by commenting out the Subsystem sftp /usr/libexec/openssh/sftp-server line:

# Subsystem sftp /usr/libexec/openssh/sftp-server

Replace the preceding line with:

Subsystem sftp internal-sftp

Add directives to limit the SFTP users access. These directives must be added at the bottom of the file:

Match Group sftp_group
ChrootDirectory /home/%u
ForceCommand internal-sftp

In the preceding example, the ChrootDirectory directive is used to specify the root directory for the SFTP users (chroot jail). Match block the user belonging to the sftp_group uses the path /home/%u as their root directory. The characters %u represents the user. You can change the root directory for your user.

The ForceCommand internal-sftp directive forces usage of an in-process SFTP server.

If you use password authentication, find the directive PasswordAuthentication in the /etc/ssh/sshd_config file and make sure that it is set to yes.

5.    Create the chroot directories to be used by the user. Replace the directory name sftp_user, and uploads with your preferred names.

sudo mkdir /home/sftp_user/uploads

Modify the ownership of the files:

sudo chown sftp_user:sftp_group /home/sftp_user/uploads

6.    Verify that the directory permissions are as shown in the following example:

ls -ld /home
drwxr-xr-x 3 root root 23 Oct  6 15:17 /home

ls -ld /home/sftp_user
drwxr-xr-x 3 root sftp_group 21 Oct  6 15:17 /home/sftp_user

ls -ld /home/sftp_user/uploads/
drwxr-xr-x 2 sftp_user sftp_group 6 Oct  6 15:17 /home/sftp_user/uploads/

7.    Restart the sshd service:

sudo systemctl restart sshd

8.    Connect to the instance using sftp:

Password authentication

# sftp's password:

SSH key-based authentication

# sftp -i key.pem

Did this article help?

Do you need billing or technical support?