for debugging ssh stuff, this one liner is very handy (on client AND server)

GNU Linux – monitor all logs in real time 😀 – follow all – show changes to log files under /var/log

SFTP is very cool and easy to setup as it is SSH based.

means: if user ‘sftp’ can login via

ssh -v sftp@ip.of.the.srv

than SFTP via FileZilla most likely will also work.

lsb_release -d; # tested on
Description:	Debian GNU/Linux 11 (bullseye)

First new user ‘sftp’ needs to be added to client AND server:

su - root
useradd -m sftp
# no account without pwd
passwd sftp
# add to group www-data
usermod -a -G www-data sftp

# become the user
su - sftp

generate a ssh key for that user:

GNU Linux ssh – generate public private keys of 8192Bits (RSA) or better update to new Ed25519 method

to limit the user ‘sftp’ to usage of SFTP only

sed -e '/^#/d' /etc/ssh/sshd_config | grep -v '^[[:space:]]*$'

Include /etc/ssh/sshd_config.d/*.conf

# allow only those usernames to ssh login
AllowUsers sftp
SyslogFacility AUTH

# possible LogLevels: QUIET, FATAL, ERROR, INFO (Default) VERBOSE, DEBUG, DEBUG1, DEBUG2 (<- use this one for debugging) and DEBUG3
LogLevel DEBUG2
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 3
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding no
PrintMotd no
AcceptEnv LANG LC_*

# override default of no subsystems
# Subsystem     sftp    /usr/lib/openssh/sftp-server
Subsystem	sftp	internal-sftp
Match User sftp
     ChrootDirectory /var/www/
     X11Forwarding no
     AllowTcpForwarding no
     ForceCommand internal-sftp
ClientAliveInterval 120

# alternatively
# Match group sftp

Then don’t forget to restart the ssh service to make changes active:

service ssh restart

Make sure:

  1. upload the public key to server:/home/sftp/.ssh/authorized_keys2
    • on client:
      • install filezilla
      • apt update
        apt install filezilla putty-tools
      • start filezilla and hit Ctrl+S -> in Site Manager -> create a new site connection
        • login type select “Keyfile” and select the private key which is most likely called “/home/sftp/.ssh/id_ed25519”
        • FileZilla says it needs to convert the key to a format.ppk it can handle
          • do that and give it a new ending id_ed25519.ppk
        • save the site config by hitting “ok”
  2. make sure ssh login to this server via this user works
    1. ssh -v sftp@ip.of.the.srv

If that worked.

test if FileZilla can also SFTP login.

Then the user ssh login can be disabled like this:

usermod -s /usr/sbin/nologin sftp

this script could be named:

vim /root/scripts/fix_permissions.sh

contents:

#!/bin/bash

echo "=== fixing webserver permissions ==="
chown -R www-data: /var/www/html
chmod 775 -R /var/www/html
echo "... make sure chroot for user 'sftp' works"
echo "... the idea is that user 'sftp' can not ssh login but only sftp /var/www/html
chown root:root /var/www/
chmod 755 /var/www

creditz:

https://serverfault.com/questions/584986/bad-ownership-or-modes-for-chroot-directory-component

admin