How to configure SSH keys for restricted sftp user
SSH keys are long and complex than a password, lot more complex. Due to some of these reasons, using ssh key is a lot more secure than using a password. In this article, we’ll see how we can configure ssh keys for sftp users.
If you do not have SFTP server running, have a look at these two articles for in detailed tutorials:
- Setting up a sftp server by restricting users to their home directory
- Setting up a sftp server by restricting users to another directory
Configuring ssh keys for user
Due to our configuration and restricted permissions, our sftp user itself cannot add ssh keys itself. So, log onto sudo or root user for this purpose.
We’ll now create .ssh directory for our “wpbackup” user
mkdir /home/wpbackup/.ssh
Next, we need to create authorized_keys file inside this directory. You can use your favorite text editor. Insert your public keys inside this file and save it.
Testing our ssh keys
$ sftp [email protected]_IP Connected to SERVER_IP. sftp>
Voila, here we go, no password prompts. To add to this, we will now have to disable password login for this user.
Open /etc/ssh/sshd_config add the following line after “Match group sftpgroup”
PasswordAuthentication no
Save the file and restart sshd service.
[sudo] service sshd restart
Now, if wpbackup tries to login to sftp using password, they will with similar error:
$ sftp [email protected]_IP Permission denied (publickey,gssapi-keyex,gssapi-with-mic). Couldn't read packet: Connection reset by peer
That’s it, folks!