How do I create an SFTP user on my Lightsail instance?

3 minute read

I want to create an SFTP user on my Amazon Lightsail instance.


Note: The following steps create an SFTP user with access to a chroot environment (chroot jail) with no SSH access. The SFTP user can't access the directories outside the chroot environment or directory. For this user, the chroot directory is the root directory.

Set up your SFTP group and user

  1. Create a group for the SFTP users with the following command:

    sudo groupadd sftp_group

    Note: Replace sftp_group with your group name.

  2. Create a user on the instance with a home directory with no access to the SSH login shell. To do so, run the following command:

    sudo useradd -g sftp_group -m -d  /home/sftp_user -s /sbin/nologin sftp_user

    Note: Replace sftp_user with your username.

Set up user authentication with either password authentication of SSH key-based authentication

Password authentication

  1. Use the following command to create a password:
    sudo passwd sftp_user

SSH key-based authentication

  1. To require SSH key-based authentication, create a .ssh folder in the user's home directory. Then, create an authorized_keys file:

    sudo mkdir /home/sftp_user/.ssh
    sudo touch /home/sftp_user/.ssh/authorized_keys
  2. Add the SSH public key that you want to use to the /home/sftp_user/.ssh/authorized_keys file. For more information, see Set up SSH keys for Lightsail.

  3. To change the ownership and permissions of the user's home directory, run the following commands:

    sudo chown sftp_user:sftp_group /home/sftp_user/.ssh -Rsudo chown root:sftp_group /home/sftp_user/
    sudo chmod 755 /home/sftp_user/ 
    sudo chmod 700 /home/sftp_user/.ssh/
    sudo chmod 600 /home/sftp_user/.ssh/authorized_keys

    Note: The preceding example uses permission 755 on the /home/sftp_user directory, and then changes ownership to the root user. This user directory is used as a chroot directory.

Edit the /etc/ssh/sshd_config file

  1. In the Subsystem sftp line, comment out the Subsystem sftp /usr/libexec/openssh/sftp-server line:

    # Subsystem sftp /usr/libexec/openssh/sftp-server
  2. Replace the preceding line with the following text:

    Subsystem sftp internal-sftp
  3. To limit SFTP user access, add the following text at the end of the file:

    Match Group sftp_group
    ChrootDirectory /home/%u
    ForceCommand internal-sftp

    In the preceding example, the ChrootDirectory specifies the root directory for the SFTP users. MatchGroup identifies the users in the sftp_group who use the path /home/%u as their root directory. The characters %u represent the user. ForceCommand internal-sftp forces the use of an in-process SFTP server.

  4. If you use password authentication, set PasswordAuthentication in the /etc/ssh/sshd_config file to yes.

Create the chroot directories for the user

  1. To create a chroot directory, run the following:
    sudo mkdir /home/sftp_user/uploads
    Note: Replace the directory name, sftp_user, and uploads with your directory name.
  2. Modify ownership of the files:
    sudo chown sftp_user:sftp_group /home/sftp_user/uploads
    Note: Replace the directory name, sftp_user, and uploads with your directory name.

Verify your changes and restart the SSHD service

  1. Verify that the directory permissions appear similar to the following example:

    ls -ld /homedrwxr-xr-x 3 root root 23 Oct  6 15:17 /home
    ls -ld /home/sftp_user
    drwxr-xr-x 3 root sftp_group 21 Oct  6 15:17 /home/sftp_user
    ls -ld /home/sftp_user/uploads/
    drwxr-xr-x 2 sftp_user sftp_group 6 Oct  6 15:17 /home/sftp_user/uploads/
  2. Restart the SSHD service:

    sudo systemctl restart sshd

Connect to the instance with SFTP

Password authentication

  1. Run the following:
    # sftp's password:

SSH key-based authentication

  1. Run the following:
    # sftp -i key.pem
AWS OFFICIALUpdated 2 days ago