Prerequisites
Before creating an SFTP-only user, make sure you have:
- SSH access to your VPS
- Root or sudo privileges
- OpenSSH server installed
Step 1: Create a New User (No Shell Access)
Connect to your VPS:
ssh hxroot@YOUR_SERVER_IP -p 22sudo useradd -m -d /home/sftpuser -s /usr/sbin/nologin sftpusersudo passwd sftpuserStep 2: Configure Chroot Directory
For SFTP chroot, the root of the chroot must be owned by root and not writable by the user.
sudo mkdir -p /sftp/sftpuser
sudo chown root:root /sftp/sftpuser
sudo chmod 755 /sftp/sftpuserCreate an uploads directory inside (writable by user):
sudo mkdir /sftp/sftpuser/uploads
sudo chown sftpuser:sftpuser /sftp/sftpuser/uploads
sudo chmod 755 /sftp/sftpuser/uploadsChange user home directory to the chroot:
sudo usermod -d /sftp/sftpuser sftpuserStep 3: Configure SSH for SFTP Chroot
sudo nano /etc/ssh/sshd_configAdd at the bottom:
Subsystem sftp internal-sftp
Match User sftpuser
ChrootDirectory /sftp/sftpuser
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
PermitTTY noRestart SSH:
sudo systemctl restart sshdStep 4: Test SFTP Access
sftp sftpuser@YOUR_VPS_IPYou should be placed directly into the chroot directory.
Try to list:
lsYou should see the uploads directory.
Try to cd out:
cd /Should stay inside chroot.
Step 5: Upload a Test File
cd uploads
put testfile.txtAllow Multiple SFTP-Only Users
For multiple users, use group matching:
sudo groupadd sftpusers
sudo usermod -aG sftpusers sftpuser1
sudo usermod -aG sftpusers sftpuser2In sshd_config:
Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftpCreate separate directories for each user:
sudo mkdir /sftp/sftpuser1
sudo chown root:root /sftp/sftpuser1
sudo mkdir /sftp/sftpuser1/uploads
sudo chown sftpuser1:sftpuser1 /sftp/sftpuser1/uploadsDisable SFTP for a Specific User (Restore Shell Access)
sudo userdel sftpuser
sudo rm -rf /sftp/sftpuserRemove the Match block from sshd_config.
✅ SFTP-only user created. They can transfer files but cannot execute commands or use interactive shell.