How to create just a simple SSH/SFTP user?


I have setup a domain, and can connect with filesilla via SFTP. However, this is the administrator and gives me acces to everything.

I want to create a user with just access to the domains directory of this server, of with just acces to a single sub-server.

Also , I don`t need an e-mail account etc. to be created, just a simple user.

Using virtualmin 4.04 gpl.

How to do this?


You want a regular user to be able to connect via SFTP? This is determined through the user’s login shell, which you can configure under “Other user permissions -> Login permissions”.

If you don’t see a shell that allows for SSH/SFTP, you need to create/enable one under “System Customization -> Custom Shells”. If possible and available for your distro, use a shell with “scponly” as executable.

A Linux user will always be created in this case, if they should not get an email address, you need to set “Email settings -> Primary email address enabled” for the user to “No”.


Thanks for your help.

I see in my shell I have the option of SCP (under a description of ‘Email and SCP’), and in documentation I read this would be SSH.

But what configuration do I need in custom shells? At the moment, the shell for SCP (scponly) has ‘No login’ under acces. So I did change this to SSH and FTP, assuming that I now would be able to SSH connect with this user via FileZilla, but still get ‘authentication failed’. Do I need to restart some service after changing shells?

I don`t wanna create FTP users, because I would have to enable FTP service. And to keep memory usage as low as possible I only would like to go with SSH.

So my guess is, the usr/bin/scponly shell is what I have to go with, and acces level has to be set to SSH and FTP, right? Now, why cant I connect. My main user allows me to connect using the VPS ip and username listed in users, but if I use this username I dont have access…

I now see that I need to use the name under IMAP/POP3/FTP login, instead of the name I added. So my loginname would be username.domain.

Now I can succesfull connect! Thanks thus :slight_smile: But, I still have this issue:

  • How can I permit this user only access to the domains directory of the mainserver?

Let me explain it this way:
Previously I was on shared hosting. Sometimes, external persons had to get access to specific site or folder. I just created a FTP user for a directory. But now, if I create a SSH user, it gets full access.

Or is this just not possible and do I have to run FTP anyway?

Furthermore, I get this error while setting home directory to domains:

“Failed to save mailbox : Home directory /home/myservername/domains already exists”

About “permit this user only access to the domains directory”: The simple answer is, you can’t. Not without considerable fiddling with SSH jails and chroot environments (which is something you want to do only if you have a considerable level of expertise).

Regularly, SSH users always have access to the whole file system. Access rights are in place though, so users cannot read/write sensitive files like passwords or other users’ home directories.

Every web user potentially can furthermore upload a web-based file system browser, which also has access to the whole file system, just like with SSH. So this is no security issue really.

Don’t try to fiddle with the user’s home directory if you don’t know what you’re doing! :slight_smile: Virtualmin’s defaults are good as they are.

Okay, But still, it seems like quite a basic requirement to have users acces only certain folders? Like I said:
" Sometimes, external persons had to get access to specific site or folder. I just created a FTP user for a directory."

So would this require FTP for me to run? I want an easy solutions, and thought virtualmin would help me with this kind of matters, as I am used to with my shared hosting panels such as DirectAdmin, Plesk (now parallels desk).

If this is only possible via FTP, fine, but I don`t want to install FTP if not nessacery…

BTW, thanks for your help! :slight_smile:

If you require an easy way to set up users with access completely restricted to certain folders, yeah FTPS would be a better way to go. Mind the “S”, as in FTP over SSL, because pure FTP is completely unencrypted, and you don’t want to send passwords over the net unencrypted if it can be avoided. :slight_smile:

Ok, thanks. Any tips on how to configure this using as low memory as possible?