Amazon Linux 2 AMI – SFTP access

All actions will also be relevant for CentOS systems. In this example, a user will be added for access via SFTP using an SSH key to the web directory under Apache management. There is a default for Apache group “apache“, if necessary, replace the desired one.

All sites are on the dir:



Add the user sftpuser (already in the existing group):

useradd -g apache -d /var/www/html -s /sbin/nologin sftpuser

Let’s give the group permissions to write since we will change the owner:

chmod -R g+w /var/www/html/*

Change the ownership of files:

chown -R sftpuser:apache /var/www/html/*


The “html” directory itself should not belong to the “sftpuser” user


Create a directory for public keys and give it the necessary permissions:

mkdir /var/www/html/.ssh
chmod 700 /var/www/html/.ssh

In this directory, create two files and place the public SSH key in them:


Set the necessary permissions to the file:

chmod 644 /var/www/html/.ssh/*

Making the user sftpuser owner:

chown -R sftpuser:apache /var/www/html/.ssh


Open the SSH server configuration file:

vim /etc/ssh/sshd_config

Replace the string:

Subsystem sftp	/usr/libexec/openssh/sftp-server

To the following:

Subsystem sftp	internal-sftp

And add the following block to the end of the file:

Match Group apache
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp


Reboot the SSH service:

service restart sshd


We connect via SFTP client by specifying the username “sftpuser” and the path to the private SSH key, on the basis of which the public one was generated, the port for connection is SSH port (by default 22).

Tagged: Tags

Notify of

Inline Feedbacks
View all comments