SFTP **** :: sudo vim /etc/ssh/sshd_config Changes to make to ``sshd_config`` (notes after this section): :: ChallengeResponseAuthentication yes # Subsystem sftp /usr/lib/openssh/sftp-server # http://www.debian-administration.org/articles/590 Subsystem sftp internal-sftp # http://knowledgelayer.softlayer.com/learning/how-do-i-permit-specific-users-ssh-access AllowGroups sshlogin sftponly # http://serverfault.com/questions/154957/set-up-sftp-to-use-password-but-ssh-not-to-use-password Match Group sftponly PasswordAuthentication yes ChrootDirectory /srv/sftp/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp Match Group sshlogin PasswordAuthentication no Note ---- - I had to use ``ChallengeResponseAuthentication`` when using port forwarding through my router. - Comment out ``sftp-server`` and use ``internal-sftp`` instead. - A user must be in the ``sshlogin`` group if they want to use ``ssh``. - A user must be in the ``sftponly`` group if they want to use ``sftp``. A user shouldn't be in both groups. - ``Match`` blocks must be at the end of the file. - I don't want standard ``ssh`` user to be able to login using passwords. To check the ``ssh`` configuration: :: sshd -t I think we can ignore the ``Could not load host key`` errors? :: sudo addgroup sshlogin sudo addgroup sftponly For all the users who need access to ``ssh``: :: sudo adduser patrick sshlogin Set-up folders for ``sftp``: :: sudo mkdir /srv/sftp/ sudo chown root:root /srv /srv/sftp sudo chmod 755 /srv /srv/sftp For users who need access to ``sftp`` (only): :: sudo adduser username sftponly # sftp folders sudo mkdir /srv/sftp/username sudo chown root:root /srv/sftp/username/ sudo chmod 755 /srv/sftp/username/ # upload folder sudo mkdir /srv/sftp/username/upload sudo chown username:username /srv/sftp/username/upload/ # modify an existing user sudo usermod -g sftponly -d /srv/sftp/username -s /sbin/nologin username Note: The user can only upload files to the ``upload`` folder (or a folder where they have write permission). I don't think ``sftp`` will be happy if we change permissions on the ``/srv/sftp/username`` folder.