1) First, we need to create a new group for SFTP users. To this group, we add users that will be able to connect to SFTP. Only users added to this group will be able to SFTP in to your server (of course, this does not limit the root user — you do not want to add root to this group, nor modify the root user at all). To do this, we’ll use the following command:

groupadd sftpusers

You can, of course, choose another group name if you’d like. The name of the group doesn’t have to be sftpusers (it could be anything, as long as the group does not already exist).

 

2) Now that we have our SFTP group, we can use the following command to add new users to that group, thus, once we’re done, allowing them to use SFTP.

useradd -g sftpusers -d /path/to/users/home -s /sbin/nologin username```

-g specifies the group name (referencing the group we just created in #1).

-d specifies the users home directory (i.e. /home/username/htdocs/public_html for example)

-s specifies shell access (/sbin/nologin means SSH is disabled for this user, as it should be)

The last part of the command, username, is the username of the user you’d like to add. So, for example, if I wanted to create a new user by the name of exampleuser, and a directory of /home/exampleuser/htdocs/public_html, I’d run:

useradd -g sftpusers -d /home/exampleuser/htdocs/public_html -s /sbin/nologin exampleuser

 

3) Verify the user by checking /etc/passwd. The newly created user should appear the bottom of the list.

grep exampleuser /etc/passwd

 

4) If you’d like to modify an existing user, we can use the following command:

usermod -g sftpusers -d /path/to/users/home -s /sbin/nologin existinguser

Simply change -d to the users home directory and existinguser to the user you wish to modify.

 

5) We now need to modify our SSH Configuration to allow SFTP (as this is often no enabled by default, at least for users other than root). To do this, we need to load up our SSH configuration file.

sudo nano /etc/ssh/sshd_config

If you see:

Subsystem      sftp    /usr/libexec/openssh/sftp-server

Comment it out like so:

#Subsystem      sftp    /usr/libexec/openssh/sftp-server

If that line does not exist, simply add the following to the end of the file:

Subsystem sftp internal-sftp
    Match group sftpusers
    ChrootDirectory %h
    ForceCommand internal-sftp

What this does is set SSH to allow SFTP, requires that the users usergroup match sftpusers, sets the SFTP directory to their specified home directory (the one we set when we either created or modified the user) and forces the use of the internal SFTP server. This prevents us from having to use another piece of software to handle SFTP.

Now we need to restart SSH by issuing:

sudo service ssh restart

 

6) Now that we have everything setup, we need to make one final modification to the permissions we have set on our directories (this would need to be done for each user).

For this example, I’ll use the home directory I referenced above

/home/exampleuser/htdocs/public_html

For SFTP to properly work, we need to make sure the home directory is owned by the user and group we just set, everything else needs to be owned by root. So if we set our home directory to the above, we need to run:

chown -R examplegroup:sftpusers /home/exampleuser/htdocs/public_html

You can verify the ownership changing over to /home/exampleuser/htdocs/

cd /home/exampleuser/htdocs/

and running

ls -al

 

So you should see the following ownership when running the ls -al command:

root:root /home/
root:root /home/exampleuser/
root:root /home/exampleuser/htdocs/

exampleuser:sftpusers /home/exampleuser/htdocs/public_html

If that’s what you see, you should now be able to SFTP in as exampleuser using your Droplet IP and the password you set for this user. If you’ve not yet set a password, you can use the passwd command from the CLI:

passwd exampleuser

and you’ll be prompted to set a password.