If a user logs into a machine via SFTP, one can make use of ChrootDirectory keyword to give an illusion that user is in a root directory. But that directory is only writable by root user. I would love for this user to have such write capabilities, and it doesn't appear that OpenSSH offers this, unless I missed something? I am aware that that SFTP user can be given write access to any file/directory inside that ChrootDirectory, but it's not good enough. I want the user to also create/delete the files directly under that "root" directory, without the workaround of creating a subdirectory that that user has write access to.

I have made the below expect script and I need to log the output of that script. SOURCE_FILE=ls -l *.txt --time-style=+%D | grep ${DT} | grep -v '^d' | awk '{print $NF}' if [ -n "${SOURCE_FILE}" ] then cp -p ${SOURCE_FILE} ${T_FILES} /usr/bin/expect" send "put /opt/AppServer/ES_TEST/todays_report/*.txt\r" expect "sftp>" send "bye\r" expect EOD EOD else echo "No Files to copy" >> ${LOGFILE} fi I need to log the output of expect command in ${LOGFILE}. How can It be done? I have tried adding the below things, it doesn't work. What could be done? /usr/bin/expect> ${LOGFILE} 2>&1 set timeout 60 spawn sftp $ES_SFTP_USER@$ES_SFTP_HOST_NAME:$R_LOCATION expect "*?assword:" send "$password\r" expect "sftp>" send "put /opt/AppServer/ES_TEST/todays_report/*.txt\r" expect "sftp>" send "bye\r" expect EOD EOD

I have two users and one shared folder in my Ubuntu server: 1. User writer, which has write access to /var/shared. It's an application regularly making file changes in this folder from remote, with an SSH key. 2. User reader is used by multiple clients with an SSH key, a key they can get without my permission, that's why I need to restrict commands available in this shell. ### Question: I need to restrict commands accessible for the reader user so it can use only sftp and rsync protocols (no standard commands like mkdir, ls, top, ...).  Only directory /var/shared must be readable, and must be a root path, e.g., no need to cd into it, it's already / in sftp or rsync. **How do I write a shell script so I can apply it with usermod -s for user reader that will give such behavior?** I cannot find any samples. How do I make writer also remain "jailed" to /var/share, so paths are same? ### Notes: 1. I have tried sshd_config's Match, ForceCommand internal-sftp and ChrootDirectory directives already. This requires the ChrootDirectory to be owned by root and non-writable (755 or less), and does not support rsync. 2. I have tried rssh, but it simply doesn't work for directories outside the home directory for the logged in user. So I couldn't chroot users to the same directory with different permissions. 3. I tried to use command=".." ssh-rsa.... in the authorized_keys file, but didn't get how can I enable behavior which I need, I only check rrsync script from rsync's docs. This method has no chroot feature I need. ### Can I have a sample at least for such shells? Is this achievable with scripts? Bash and C++ (if needed) are welcome. Output of ldd /bin/bash: linux-vdso.so.1 => (0x00007fff7e9d1000) libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f79dfd8b000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f79dfb87000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f79df7bd000) /lib64/ld-linux-x86-64.so.2 (0x000055bd0767c000)

**I am aware that this is security through obscurity, however this is for training purposes and will not be accessible via the Internet. It will merely be used as an internal tool.** I have looked at the following link: How to disable sftp for some users, but keep ssh enabled? The problem is that it doesn't answer my question which is described below: I am attempting to setup a virtual server which allows one user to log in to the server using sftp, and another user to log in to the server using ssh. The sftp portion works and is done by forcing internal-sftp within the sshd_config file shown further within this question. This part works as it disallows the user from logging into the server using ssh, and only allows them access to the sftp jail which I have created. For the other user which is only meant to be able to access the Chroot jail via ssh, I am unsure of how to disallow access via sftp. The problem is that I have specifically created a chroot jail for that user to prevent commands such as ls and cat, however if the user accesses the server using sftp, they are able to use those commands. The section within the /etc/ssh/sshd_config is as follows: Match User test1 ChrootDirectory /home/jail X11Forwarding no AllowTcpForwarding no # Match Group sftpusers Match User test2 ChrootDirectory /sftp/guestuser ForceCommand internal-sftp AllowUsers test2 I have attempted to add: ForceCommand Subsystem sftp /bin/false or ForceCommand sftp /bin/false or Subsystem sftp /bin/false or to Match User test1 However none of the aformentioned additions work with sshd_config. So my question is: Is there a way to prevent user1 from accessing the server via sftp? If not is there a way to remove certain commands from sftp, such as ls or cat? Any advice would be greatly appreciated.

I have a PC where I run sshd as a SFTP server. I have configured the KexAlgorithms as follows: KexAlgorithms +diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 I deliberately want to allow the use of these old key exchange algorithms because I want this server to be accessible by a very old (Win98 based) PC that runs WinSCP which has only a small number of key exchange algorithms available. However, even though I configured the KexAlgorithms on the server, even after a reboot the connection does not work. I checked on the server which ciphers it allows by sshd -T | grep kex and neither the diffie-hellman-group-exchange-sha1 nor the diffie-hellman-group14-sha1 are listed. Therefore it is impossible to connect to this server from WinSCP on Windows 98. N.B.: I have deliberately used a PC with two network interfaces, i.e. one of them is connected to the regular LAN (with internet access and so on) and the other interface is connected to the old PC only. I cannot simply update the old PC because it is integrated in a very unique and expensive measuring instrument I cannot change.

Recently I completely switched to Ubuntu for my work computer. But I have one problem. On Windows I used WinSCP to connect to remove development server via SFTP and I can't find any app for Ubuntu that would work for me here. The problem is not the SFTP itself - I can connect to the server without any problems - however I need to login as unprivileged user and then run sudo to be able to traverse into directories my unprivileged user can't access. In WinSCP I could configure my *WinSCP server* as sudo su -c /bin/sftp-server and as *shell* I had to put sudo su -. Is there any app that can connect to SFTP in simmiliar matter like WinSCP could on Windows?

We have SFTP connection in unix location.How can I find the IP address of the particular username with whom we have SFTP connection to share the files?

I want to be able to use SFTP to edit files that require root permissions. I'm using SSH Key based authentication - rsa key on smart card. If the system requires sudo to perform root level commands, How do I get around this? Can I create a way of bypassing sudo for SFTP only? Is there a way to keep sudo & key authentication. I'm using windows to connect to Ubuntu. I need this to work with Mac connecting to Ubuntu as well. I understand how to do SSH Tunneling to admin the system services. Currently, I use root user login directly, but password login is disabled. I didn't understand how to use sudo and SFTP at same time. It seems to be a best practice to require login as a non-root user and then require use of sudo since the logs will record who was given escalated privileges for each command. Should I concern myself with this when using Key based authentication or is this a trivial difference in security/logging? It seems like Key based authentication records user's serial number in the logs, and you can have multiple keys for the root user to identify each user. This seems to be the same effect as using sudo to me. Am I wrong?

Our Linux setup doesn't have keygen configured for passwordless authentication. Hence I am supposed to use only EXPECT for passwordless authentication in a shell script. /usr/bin/expect> ${LOG_FILE} set timeout 60 spawn sftp ${EWS_USER}@${EWS_HOST}:${TGT_DIR} expect "*?assword:" send "$password\r" expect "sftp>" send "put $local_dir/$line\r" expect "sftp>" send "bye\r" expect EOF EOF filename=$(basename "$line") # echo "File Name: $filename" #Calculate the MD5Sum locally. local_md5sum=$(md5sum "$line") #echo "Local MD5Sum: ${local_md5sum}" #Calculate the MD5sum in remote machine remote_md5sum=$(ssh ${EWS_USER}@${EWS_HOST} "cd '$TGT_DIR' ; find -name '$filename' -exec md5sum {} \;" > ${LOG_NAME} put ${LOCAL_DIR}/${line} ${TGT_DIR}/${line} EOF But any idea how to use EXPECT here in the scenario below to make the connection passwordless? remote_md5sum=$(ssh ${EWS_USER}@${EWS_HOST} "cd '$TGT_DIR' ; find -name '$filename' -exec md5sum {} \;" < /dev/null)

I'm trying to setup a sftp server using openssh builtin sftp.

Subsystem       sftp    /usr/lib/openssh/sftp-server

and I have created user by following (more or less (using ansible), I do use /sbin/nologin for shell and /dev/null is used as skel) https://sftpcloud.io/learn/sftp/how-to-setup-sftp-server-on-ubuntu-22-04 but when I try to connect

sftp myuser@myip

I get the prompt and enters password, but it fails

client_loop: send disconnect: Broken pipe
Connection closed.  
Connection closed

The thing is that now the home directory for the user is filled with crap.

$ ls -a
snap/  .cache  .local

and in syslog I see A LOT of things happening that more seems to relating to logging in as a normal user (I guess). Here are some stuff

systemd: Created slice user-1003.slice - User Slice of UID 1003.
systemd: Starting user-runtime-dir@1003.service - User Runtime Directory /run/user/1003...
snapd-desktop-i: Detected new session 42 at /org/freedesktop/login1/session/_342
systemd: Finished user-runtime-dir@1003.service - User Runtime Directory /run/user/1003.
systemd: Starting user@1003.service - User Manager for UID 1003...
systemd-xdg-autostart-generator: Exec binary 'start-pulseaudio-x11' does not exist: No such file or directory
systemd-xdg-autostart-generator: /etc/xdg/autostart/pulseaudio.desktop: not generating unit, executable specified in Exec= does not exist.
systemd: Queued start job for default target default.target.
systemd: Created slice app.slice - User Application Slice.
systemd: Created slice session.slice - User Core Session Slice.
systemd: Started ubuntu-report.path - Pending report trigger for Ubuntu Report.
systemd: Started launchpadlib-cache-clean.timer - Clean up old files in the Launchpadlib cache.
systemd: Starting gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation)...
systemd: Started user@1003.service - User Manager for UID 1003.
systemd: Started session-42.scope - Session 42 of User myuser.
systemd: Starting gnome-initial-setup-copy-worker.service - GNOME Initial Setup Copy Worker...
systemd: Started pipewire.service - PipeWire Multimedia Service.
systemd: Started filter-chain.service - PipeWire filter chain daemon.
systemd: Started snap.snapd-desktop-integration.snapd-desktop-integration.service - Service for snap application snapd-desktop-integration.snapd-desktop-integration.
systemd: Started wireplumber.service - Multimedia Service Session Manager.
systemd: Started pipewire-pulse.service - PipeWire PulseAudio.
systemd: Startup finished in 270ms.
systemd: Starting dbus.service - D-Bus User Message Bus...
pipewire: mod.jackdbus-detect: Failed to receive jackdbus reply: org.freedesktop.DBus.Error.ServiceUnknown: The name org.jackaudio.service was not provided by any .service files
wireplumber: SPA handle 'api.libcamera.enum.manager' could not be loaded; is it installed?
systemd: snap.snapd-desktop-integration.snapd-desktop-integration.service: Main process exited, code=exited, status=1/FAILURE
systemd: snap.snapd-desktop-integration.snapd-desktop-integration.service: Failed with result 'exit-code'.

So I guess the login triggers "other stuff", how to disable the extra stuff that is happening and just have sftp? I do have other "regular" users loggin into the server that I'm trying to setup as a sftp server so I have to handle these sftp users in a special way. But how? I use Ubuntu 24.04. My sshd_config says:

UsePAM yes

I recently bought a new laptop and installed Debian 12 + xfce environment. And I'd like to access my server (which has Debian 12) with Thunar, as I always did before. I can access my server via sftp with the command line, but when I try to access it with the address bar in thunar (e.g. sftp://user@server.com/) it enters in a password loop, asking for the password continuously. Note that it should not even ask for the password, because I usually keep a ssh connection with the server and I use openssh multiplexing. I have all gvfs packages installed (needless to say that I can enter with my old laptop having ubuntu 20.04). Any clue? Thanks in advance for any suggestion. Alex

We recently upgraded a high volume CentOS 7 SFTP server running openssh/internal-sftp to Rocky Linux 8. However, since the upgrade we are experiencing login timeout issues after the server has been running for 1-2 hours. This seems to be related to the number of open SFTP sessions and/or systemd --user processes. After 1-2 hours new SFTP logins become extremely slow and we start seeing these messages in the log

Apr 14 12:16:58 sftp sshd: pam_systemd(sshd:session): Failed to create session: Connection timed out

Sometimes it clears up if enough SFTP sessions are closed fast enough, but more often we have to reboot the server to restore normal service. Would it be advisable to disable systemd-logind as this doesn't seem needed for SSH? **UPDATE**\ Not sure if this is relevant, but systemctl list-units --state=abandoned returns 100's of abandoned sessions. **UPDATE 2**\ After disabling pam_systemd.so system is running normally again. This effectively disables systemd-logind for SSH sessions. 80% reduced system load indicates massive performance penalty using systemd-logind. Is this normal?!

Since upgrading from CentOS 7 to Rocky Linux 8 our PAM maxlogins limit is no longer being enforced for SFTP sessions. SFTP users belong to the sftp group and we have this in /etc/security/limits.d/10-maxlogins.conf

@sftp        -       maxlogins       1

We use internal-sftp for SFTP sessions and have this in /etc/ssh/sshd_config

Subsystem sftp  internal-sftp -l INFO

Match Group sftp
        ChrootDirectory %h
        ForceCommand internal-sftp
        AllowTcpForwarding no

However, users are still managing to open > 1 concurrent SFTP sessions. Should we be doing anything different in EL8 to enforce these limits? **UPDATE**\ Enabled PAM debug logging and can see it's reading the relevant config files. However, the limit is not enforced.

Apr 10 16:13:04 sftp-test sshd: Accepted password for sftptest from 10.3.200.146 port 60976 ssh2
Apr 10 16:13:04 sftp-test sshd: pam_limits(sshd:session): reading settings from '/etc/security/limits.conf'
Apr 10 16:13:04 sftp-test sshd: pam_limits(sshd:session): reading settings from '/etc/security/limits.d/10-max-logins.conf'
Apr 10 16:13:04 sftp-test sshd: pam_limits(sshd:session): checking if sftptest is in group sftp
Apr 10 16:13:04 sftp-test sshd: pam_limits(sshd:session): process_limit: processing - maxlogins 1 for GROUP
Apr 10 16:13:04 sftp-test sshd: pam_limits(sshd:session): checking logins for 'sftptest' (maximum of 1)
Apr 10 16:13:04 sftp-test systemd: pam_unix(systemd-user:session): session opened for user sftptest(uid=1000) by sftptest(uid=0)
Apr 10 16:13:04 sftp-test sshd: pam_unix(sshd:session): session opened for user sftptest(uid=1000) by sftptest(uid=0)
Apr 10 16:13:26 sftp-test sshd: Accepted password for sftptest from 10.3.200.146 port 52110 ssh2
Apr 10 16:13:26 sftp-test sshd: pam_limits(sshd:session): reading settings from '/etc/security/limits.conf'
Apr 10 16:13:26 sftp-test sshd: pam_limits(sshd:session): reading settings from '/etc/security/limits.d/10-max-logins.conf'
Apr 10 16:13:26 sftp-test sshd: pam_limits(sshd:session): checking if sftptest is in group sftp
Apr 10 16:13:26 sftp-test sshd: pam_limits(sshd:session): process_limit: processing - maxlogins 1 for GROUP
Apr 10 16:13:26 sftp-test sshd: pam_limits(sshd:session): checking logins for 'sftptest' (maximum of 1)
Apr 10 16:13:26 sftp-test sshd: pam_unix(sshd:session): session opened for user sftptest(uid=1000) by sftptest(uid=0)

I have been stuck with this issue all afternoon and I don't know what is going on. The reason why I need to use the sftp command is because I am using it in a shell script. If there is another program I could use that comes with CentOS 7 that allows me to download a file using SFTP then please enlighten me. **EDIT 1** SFTP clients used: WinSCP and PSFTP. Tested this from different computers both running on the same network and from the internet (used only IP addresses here). This works as expected from the same computer (used localhost and loopback address). Firewalld service is stopped, and no proxy is being used or has been configured at any time. The error I am getting is (using sftp -vvv sftp@hostname): debug1: connect to ipaddress port 22: Connection timed out ssh: connect to host ipaddress port 22: Connection timed out Couldn't read packet: Connection reset by peer My sshd_config file (server-side): # $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Ciphers and keying #RekeyLimit default none # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication yes GSSAPIAuthentication no GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # problems. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no #Compression delayed ClientAliveInterval 60 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp internal-sftp # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server Match User sftp ForceCommand internal-sftp PasswordAuthentication yes ChrootDirectory /home/sftp PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no Code used to create the user: mkdir -p /home/sftp chown root /home/sftp chmod 755 -R /home/sftp useradd -d /home/sftp -r sftp usermod -s /sbin/nologin sftp echo "password" | passwd --stdin sftp I have not touched the sshd_config file from the clients, so I guess it is just the defaults from installation (in my implementation I cannot change those configuration files).

Everything I am reading says that for chroot to work with sftp root has to own the folder. I want to make it so a user can only sftp to a sub-directory in their home folder like /home/user/some/folder. Obviously ro

I use midnight commander to sftp into my ubuntu VPS. The VPS requires sudo for anything important, e.g. copy/move/delete files. So for e.g. I cannot press F5 to copy (except into ~). Is it possible for mc to ask for user elevation / send sudo when needed?

I have two Linux machines. One of them must be a sftp server. I added the following lines to /etc/ssh/sshd_config file: #SFTP server configuration Match Group root ChrootDirectory /share ForceCommand internal-sftp So now I can put and get files over sftp, but when I try to connect with my sftp server over ssh I get the following error: > This service allows sftp connections only. What should I do to enable both sftp and ssh to root? Thank you in advance for any help.

In Ubuntu GNU/Linux 12.04, I have a user johndoe that is part of an sftponly group, set up to sftp to a chroot jail using Subsystem sftp internal-sftp Match Group sftponly ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no at the end of /etc/ssh/ssh_config. All components of the user's home directory are root-owned directories that are not writeable by any other user or group, as explained in man sshd_config (under ChrootDirectory). Inside his chroot jail, there is a writeable directory files: sudo groupadd sftponly sudo mkdir -p /home/sftponly/johndoe/files sudo useradd -d /home/sftponly/johndoe -g sftponly -s /usr/sbin/nologin johndoe sudo chmod go-w /home/sftponly/{,johndoe} sudo chown johndoe:sftponly /home/sftponly/johndoe/files sudo chmod ug+rwX /home/sftponly/johndoe/files (Setting the shell to /bin/false did not work with either ssh or sftp. With nologin as the shell ssh connects, shows "MOTD", and then disconnects, which is the expected behavior.) But sftp fails with the message Received message too long 1416128883. I know this failure is caused by "MOTD" (Message Of The Day), as sftp expects a "clean login." I have tried disabling all "MOTD" pieces on the server using the following, with (**these results**): * Adding PrintLastLog no and PrintMotd no to the end of /etc/ssh/ssh_config and restarting ssh using restart ssh. (**No effect**. Testing with ssh shows both "MOTD" and "Last Login:".) * Commenting out session optional pam_motd.so in /etc/pam.d/sshd. (**Prevents MOTD**. But there is no corresponding entry for "LastLog" so, testing with ssh, "Last Login:" still shows up and hence **sftp still fails**.) * Commenting out session optional pam_lastlog.so and session optional pam_motd.so in /etc/pam.d/login. (**No effect**. Testing with ssh shows both MOTD and "Last Login:".) * Creating the .hushlogin file on the client using touch ~/.hushlogin. (**No effect**.) I am out of ideas. Where else may this "Last Login:" message be coming from and how can it be disabled (ideally only for sftp and not for ssh logins, but, I imagine as sftp uses ssh, the message is going to be there either for both or none)?

As I understood from https://unix.stackexchange.com/questions/111026/how-to-use-sftp-on-a-system-that-requires-sudo-for-root-access-ssh-key-based-a question there are not simple ways to use SFTP client with root stuff. I wish to use mobaxterm windows ssh, SFTP client login to Ubuntu server with keys. I log as user that has sudoer privilege. So I can elevate to root. the problem is that mobaxterm SFTP client doesn't have sufficient permissions to write to roots files. Any ideas and workaround for achieve the task?

I'm struggling to find a solution regarding this problem : My goal is to set up a sftp server on a Debian 12, there will be several directories corresponding to each departement of my firm, every member of each departement should be able to acces their corresponding directory. I've tried many solutions but i'm struggling with one point : when ever i'm using chroot i cannot retrieve log beside the connection ones. i tried something like :

Subsystem sftp internal-sftp -f LOCAL7 -l VERBOSE

Match Group sftpusers
ChrootDirectory /var/sftp
ForceCommand internal-sftp
PasswordAuthentication yes
PermitTunnel no
AllowTcpForwarding no
X11Forwarding no

I've another concern, it's seems that my chroot directories is not reachable unless it's set up like this :

chown root:sftpusers /var/ftp
chmod 750 /var/ftp

if i try chmod 770 /var/ftp , i cannt connect to my server. If anybody as a clue regarding this matter it will be a great help. Maybe i'm doing things wrong, and my choices are not the good ones, i'm open to every suggestion to solve this. Thank you