All actions will also be relevant for CentOS/RHEL systems. In this example, a user will be added for access via SFTP using an SSH key to the web directory under Apache management. There is a default for Apache group “apache“, if necessary, replace the desired one.
All sites are on the dir:
/var/www/htmlAdd the user sftpuser (already in the existing group):
useradd -g apache -d /var/www/html -s /sbin/nologin sftpuserLet’s give the group rights to write, since we will change the owner:
chmod -R g+w /var/www/html/*Change the ownership of files:
chown -R sftpuser:apache /var/www/html/*The “html” directory itself should not belong to the “sftpuser” user
Create a directory for public keys and give it the necessary rights:
mkdir /var/www/html/.sshchmod 700 /var/www/html/.sshIn this directory, create two files and place the public SSH key in them:
authorized_keysid_rsa.pubSet the necessary rights to the file:
chmod 644 /var/www/html/.ssh/*Making the user sftpuser owner:
chown -R sftpuser:apache /var/www/html/.sshOpen the SSH server configuration file:
vim /etc/ssh/sshd_configReplace the string:
Subsystem sftp /usr/libexec/openssh/sftp-serverOn the following:
Subsystem sftp internal-sftpAnd add the following block to the end of the file:
Match Group apache
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftpReboot the SSH service:
service restart sshdWe connect via SFTP client by specifying the username “sftpuser” and the path to the private SSH key, on the basis of which the public one was generated, the port for connection is SSH port (by default 22).
Leave a Reply