All actions will also be relevant for CentOS/RHEL systems. In this example, a user will be added for access via SFTP using an SSH key to the web directory under Apache management. There is a default for Apache group “apache“, if necessary, replace the desired one.

All sites are on the dir:


Add the user sftpuser (already in the existing group):

useradd -g apache -d /var/www/html -s /sbin/nologin sftpuser

Let’s give the group rights to write, since we will change the owner:

chmod -R g+w /var/www/html/*

Change the ownership of files:

chown -R sftpuser:apache /var/www/html/*

The “html” directory itself should not belong to the “sftpuser” user

Create a directory for public keys and give it the necessary rights:

mkdir /var/www/html/.sshchmod 700 /var/www/html/.ssh

In this directory, create two files and place the public SSH key in them:

Set the necessary rights to the file:

chmod 644 /var/www/html/.ssh/*

Making the user sftpuser owner:

chown -R sftpuser:apache /var/www/html/.ssh

Open the SSH server configuration file:

vim /etc/ssh/sshd_config

Replace the string:

Subsystem sftp  /usr/libexec/openssh/sftp-server

On the following:

Subsystem sftp  internal-sftp

And add the following block to the end of the file:

Match Group apache
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp

Reboot the SSH service:

service restart sshd

We connect via SFTP client by specifying the username “sftpuser” and the path to the private SSH key, on the basis of which the public one was generated, the port for connection is SSH port (by default 22).

Dennis Otugo
Dennis Otugo

Dennis Otugo is a Consultant at Bantrain, and loves all things DevOps. In his role, he enables enterprise customers in their digital transformation journey and helps architect cloud-native solutions

Speak with an expert on our team to discuss Cloud solutions tailored to your business.

You’ll receive free recommendations tailored to your business.