All actions will also be relevant for CentOS systems. In this example, a user will be added for access via SFTP using an SSH key to the web directory under Apache management. There is a default for Apache group "apache", if necessary, replace the desired one.
All sites are on the dir:
/var/www/html
Add the user sftpuser (already in the existing group):
useradd -g apache -d /var/www/html -s /sbin/nologin sftpuser
Let’s give the group permissions to write since we will change the owner:
chmod -R g+w /var/www/html/*
Change the ownership of files:
chown -R sftpuser:apache /var/www/html/*
The "html" directory itself should not belong to the "sftpuser" user
Create a directory for public keys and give it the necessary permissions:
mkdir /var/www/html/.ssh chmod 700 /var/www/html/.ssh
In this directory, create two files and place the public SSH key in them:
authorized_keys id_rsa.pub
Set the necessary permissions to the file:
chmod 644 /var/www/html/.ssh/*
Making the user sftpuser owner:
chown -R sftpuser:apache /var/www/html/.ssh
Open the SSH server configuration file:
vim /etc/ssh/sshd_config
Replace the string:
Subsystem sftp /usr/libexec/openssh/sftp-server
To the following:
Subsystem sftp internal-sftp
And add the following block to the end of the file:
Match Group apache X11Forwarding no AllowTcpForwarding no ChrootDirectory %h ForceCommand internal-sftp
Reboot the SSH service:
service restart sshd
We connect via SFTP client by specifying the username "sftpuser" and the path to the private SSH key, on the basis of which the public one was generated, the port for connection is SSH port (by default 22).