When managing Ubuntu servers with OpenSSH, administrators often need to implement different authentication methods for SSH and SFTP. The default configuration treats both protocols equally, but security best practices sometimes require separating their authentication mechanisms.
The solution lies in using OpenSSH's Match directive in /etc/ssh/sshd_config to apply different authentication rules for SFTP users:
# Global settings (applies to all connections)
PasswordAuthentication no
PubkeyAuthentication yes
# SFTP-specific exceptions
Match Group sftpusers
PasswordAuthentication yes
PubkeyAuthentication no
ForceCommand internal-sftp
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Here's how to properly set this up:
- Create dedicated SFTP users group:
sudo groupadd sftpusers
- Create user accounts with SFTP-only access:
sudo useradd -G sftpusers -s /bin/false sftp_user1 sudo passwd sftp_user1
- Set up proper directory structure and permissions:
sudo mkdir -p /var/sftp/sftp_user1/upload sudo chown root:root /var/sftp sudo chmod 755 /var/sftp sudo chown sftp_user1:sftpusers /var/sftp/sftp_user1/upload
- Reload SSH configuration:
sudo systemctl reload ssh
Test SSH access (should fail with password):
ssh sftp_user1@yourserver.com
Test SFTP access (should work with password):
sftp sftp_user1@yourserver.com
For enhanced security, consider these additional measures:
- Implement rate limiting with fail2ban
- Set up password complexity requirements
- Configure logging to monitor SFTP activity
- Consider using PAM modules for additional authentication controls
If you encounter problems, check:
- SSH daemon logs:
/var/log/auth.log - File permissions on chroot directory (must be owned by root)
- SELinux/apparmor contexts if enabled
- Network/firewall rules allowing SFTP connections
Many system administrators face this exact scenario: needing to allow SFTP access with password authentication while enforcing key-based authentication for SSH. This configuration provides a balance between convenience for file transfers and security for shell access.
The key to achieving this setup lies in the /etc/ssh/sshd_config file (not ssh_config). Here's the critical configuration:
# Enforce SSH key authentication
PasswordAuthentication no
PubkeyAuthentication yes
# SFTP subsystem configuration
Subsystem sftp internal-sftp
# Match block for SFTP-only users
Match Group sftpusers
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Here's how to implement this configuration:
# Create SFTP user group sudo groupadd sftpusers # Create a dedicated SFTP user sudo useradd -G sftpusers -s /bin/false sftpuser sudo passwd sftpuser # Set up chroot directory sudo mkdir -p /var/sftp/sftpuser sudo chown root:root /var/sftp sudo chmod 755 /var/sftp sudo mkdir /var/sftp/sftpuser/upload sudo chown sftpuser:sftpusers /var/sftp/sftpuser/upload
After reloading SSH (sudo systemctl reload ssh), test both access methods:
# Test SSH access (should fail with password) ssh sftpuser@yourserver.com # Test SFTP access (should work with password) sftp sftpuser@yourserver.com
For enhanced security:
- Implement rate limiting with fail2ban
- Set up password complexity requirements
- Consider two-factor authentication for SFTP
- Regularly rotate passwords for SFTP users
Common issues and solutions:
# Check authentication logs tail -f /var/log/auth.log # Verify permissions (critical for chroot) namei -l /var/sftp/sftpuser # Test configuration before applying sudo sshd -t