1). If you'll see the mini guide below, you'll be able to knock this out relatively quickly :-). This will also set you up for #2 as well, if #2 is what you're wanting.
2). SCP requires SSH, so you wouldn't be able to allow SCP and deny SSH. If you meant SFTP, then yes, you can deny SSH access and still allow SFTP.
--
First thing, launch PuTTy, Terminal or your preferred application to access your Droplet and login as either
root or your sudo user.--
1). First, we need to create a new group for SFTP users. To this group, we add users that will be able to connect to SFTP. Only users added to this group will be able to SFTP in to your server (of course, this does not limit the
root user -- you do not want to add root to this group, nor modify the root user at all). To do this, we'll use the following command:groupadd sftpusers
sftpusers (it could be anything, as long as the group does not already exist).--
2). Now that we have our SFTP group, we can use the following command to add new users to that group, thus, once we're done, allowing them to use SFTP.
useradd -g sftpusers -d /path/to/users/home -s /sbin/nologin username```
-g specifies the group name (referencing the group we just created in #1).-d specifies the users home directory (i.e. /home/username/htdocs/ for example)-s specifies shell access (/sbin/nologin means SSH is disabled for this user, as it should be)The last part of the command,
username, is the username of the user you'd like to add. So, for example, if I wanted to create a new user by the name of exampleuser, and a directory of /home/exampleuser/htdocs/, I'd run:useradd -g sftpusers -d /home/exampleuser/htdocs/ -s /sbin/nologin exampleuser
3). Verify the user by checking
/etc/passwd. The newly created user should appear the bottom of the list.grep exampleuser /etc/passwd
4). If you'd like to modify an existing user, we can use the following command:
usermod -g sftpusers -d /path/to/users/home -s /sbin/nologin existinguser
-d to the users home directory and existinguser to the user you wish to modify.--
5). We now need to modify our SSH Configuration to allow SFTP (as this is often no enabled by default, at least for users other than
root). To do this, we need to load up our SSH configuration file.sudo nano /etc/ssh/sshd_config
Subsystem sftp /usr/libexec/openssh/sftp-server
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match group sftpusers
ChrootDirectory %h
ForceCommand internal-sftp
sftpusers,
sets the SFTP directory to their specified home directory (the one we
set when we either created or modified the user) and forces the use of
the internal SFTP server. This prevents us from having to use another
piece of software to handle SFTP.Now we need to restart SSH by issuing:
sudo service ssh restart
6). Now that we have everything setup, we need to make one final modification to the permissions we have set on our directories (this would need to be done for each user).
For this example, I'll use the home directory I referenced above
/home/exampleuser/htdocs/
root. So if we set our home directory to the above, we need to run:chown -R examplegroup:sftpusers /home/exampleuser/htdocs/public_html
/home/exampleuser/htdocs/cd /home/exampleuser/htdocs/
ls -al
So you should see the following ownership when running the
ls -al command:root:root /home/
root:root /home/exampleuser/
root:root /home/exampleuser/htdocs/
exampleuser:sftpusers /home/exampleuser/htdocs/public_html
exampleuser using your Droplet IP and the password you set for this user. If you've not yet set a password, you can use the passwd command from the CLI:passwd exampleuser
--
If you need any help or are confused by any of the above, just let me know and I'll be more than happy to help!
Access privilege of home directory and all above MUST be 755 or 750.
For the permissions here are the ls-al lines:
/var :
/var :
drwxr-xr-x. 21 root root 4096 Nov 30 10:38 var
drwxr-xr-x 10 root root 4096 Nov 30 10:55 www
drwxr-xr-x 3 root root 4096 Nov 29 13:06 www.brianjeon.com
drwxr-xr-x 2 brianjeon sftpusers 4096 Nov 29 17:59 public_html
