Using SFTP from SSH daemon is, in my opinion, not really well-documented and thrown errors are not always very explicit.
Add some security in the mix and nothing works as expected.
This is a short guide (acting a bit as a memo I admit) for SSH + SFTP + Chroot + Public key authentication
On the “SFTP” server
Firstly we will create a new unprivileged user, without any password :
Now that is done, we may start our reception folder creation (still as
As clients will put their files into
folder/, the user they will be using must have permissions on it :
This is important, each one of the path elements guiding to the chroot destination folder MUST HAVE
0755 UNIX permissions
You can enforce this statement with the following (commented lines should be already OK, but who knows ?) :
If you don’t,
sshwon’t be able to chroot anywhere and your operations will crash with misguiding error in SSH logs.
Now we may tweak SSH configuration (
-P parameter allows us to restrain the operations that clients will be able to perform (black-list).
read,remove set, clients won’t be able to fetch nor remove any files already present (useful for a write-only backup folder).
/usr/lib/openssh/sftp-server -Q requests to check which protocol requests you may provide.
I’ve tried to use the
-p that is on the contrary a protocol requests white-list, but couldn’t figure out why it didn’t work with the thrown errors…
Please note that those protocol requests HAVE NOTHING TO DO with the (S)FTP commands that could be sent (
-d parameter will set clients directly into
Very useful for interactive FTP operations, ‘cause you won’t have to
cd into the directory.
Finally, we restart the
sshd daemon :
On the “SFTP” clients
We will begin here by generating a new ED25519 keys pair :
Before continuing, you’ll have to paste the public key within
/home/archiver/.ssh/authorized_keysfile on your SFTP server.
Now, you should be allowed to perform your first SFTP operation () :
The command issued in the snippet above IS AN EXAMPLE. Feel free to adapt it your way.