Setting up sftp access with a key file

A while ago I configured my server for sftp access using a key instead of a password. These are the notes I took when I did it but I haven’t tested it again, but I hope it works.

1. Edit ssh_config, add sftpuser in AllowUsers:

AlllowUsers youruser john mary sftpuser

2. Change where key files are located. Instead of the default ~/.ssh, it is important to put all the keys in a universal place. With the standard path of AuthorizedKeysFile, the public key authentication will fail for chrooted-users because they don’t have a home like all other users. To fix this, we set the AuthorizedKeysFile to a root-owned, non-worldwritable directory and move existing users’ keys.

AuthorizedKeysFile /etc/ssh/authorized_keys/%u

Match User sftpuser
   ChrootDirectory %h
   ForceCommand internal-sftp
   AllowTcpForwarding no
   PermitTunnel no
   X11Forwarding no

3. Run this

$ useradd sftpuser
$ mkdir /home/sftpuser
$ chown root:root /home/sftpuser/
$ chmod 755 /home/sftpuser/
$ cd /home/sftpuser
$ mkdir data
$ chown sftpuser:sftpusr data

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s