Yes 👍 exactly — if in the future you want to add a second upload user, you just repeat the same process.
Since you already have:
- ✅ damon = admin
- 🔒 christak = jailed upload user
- 📂 Shared group = webgroup
- 🏗 Jail root = /var/www/html
Adding a new person is very simple 👇
🚀 Add New Upload User (Example: john)
✅ 1️⃣ Create user
sudo useradd john
sudo passwd john
(or skip password if using SSH key only)
✅ 2️⃣ Add to webgroup
sudo usermod -aG webgroup john
Check:
groups john
Should show:
john : john webgroup
✅ 3️⃣ Add SSH Key (if using PKK)
sudo mkdir /home/john/.ssh
sudo nano /home/john/.ssh/authorized_keys
Paste public key.
Fix permissions:
sudo chown -R john:john /home/john/.ssh
sudo chmod 700 /home/john/.ssh
sudo chmod 600 /home/john/.ssh/authorized_keys
✅ 4️⃣ SSH Jail Already Covers Him (Important)
If your sshd_config contains:
Match Group webgroup
ChrootDirectory /var/www/html
ForceCommand internal-sftp
Then you DO NOT need to edit sshd again.
Because:
👉 Any user in webgroup automatically gets jailed.
Just restart SSH (only if you changed something):
sudo systemctl restart sshd
🎯 Final Result
| User | Admin | Jail | Upload |
| damon | ✅ | ❌ | ✅ |
| christak | ❌ | ✅ | ✅ |
| john | ❌ | ✅ | ✅ |
🔥 Pro Tip (Very Clean Setup)
Using:
Match Group webgroup
is better than:
Match User christak
Because now you can add unlimited upload users without touching sshd_config again.
If you want next level security, I can also show you:
- Separate folders per user inside /uploads
- Read-only user option
- Auto-set file permissions for Apache
Just tell me 👍
so can you show me step by step again from the flesh with authorized_key so i like start now
Yep — here is the full step-by-step from fresh, for CentOS Stream 10 + WinSCP SFTP + authorized_keys, with:
- damon stays admin
- Upload users are jailed to /var/www/html
- Upload allowed only in /var/www/html/uploads
- Key auth only (no password)
- No SSH shell
I’ll show it as copy/paste blocks.
0) Safety check (do this first)
Keep your current SSH session open while testing, so you don’t lock yourself out.
1) Create the upload group
sudo groupadd webgroup
(if it says already exists, that’s fine)
2) Create the upload user (example: christak)
sudo useradd -m -s /sbin/nologin -G webgroup christak
Notes:
- -m creates /home/christak
- -s /sbin/nologin prevents shell login (extra safety)
3) Set up authorized_keys for that user
3.1 Create .ssh and file
sudo mkdir -p /home/christak/.ssh
sudo nano /home/christak/.ssh/authorized_keys
Paste ONE LINE public key (starts with ssh-rsa or ssh-ed25519), save and exit.
3.2 Fix permissions (IMPORTANT)
sudo chown -R christak:christak /home/christak/.ssh
sudo chmod 700 /home/christak/.ssh
sudo chmod 600 /home/christak/.ssh/authorized_keys
4) Prepare the chroot (jail) folder structure
4.1 Chroot root must be owned by root
sudo chown root:root /var/www/html
sudo chmod 755 /var/www/html
4.2 Create upload folder inside jail
sudo mkdir -p /var/www/html/uploads
sudo chown root:webgroup /var/www/html/uploads
sudo chmod 770 /var/www/html/uploads
Now upload users in webgroup can write only to /uploads.
5) Lock down SSH for that group (SFTP-only jail)
Edit SSH config:
sudo nano /etc/ssh/sshd_config
Add this at the very bottom:
Match Group webgroup
ChrootDirectory /var/www/html
ForceCommand internal-sftp
PasswordAuthentication no
PubkeyAuthentication yes
X11Forwarding no
AllowTcpForwarding no
If you have PasswordAuthentication yes earlier in the file, that’s OK — the Match block overrides for webgroup.
Restart SSH:
sudo systemctl restart sshd
6) SELinux fix (CentOS often needs this)
Run:
sudo restorecon -R /var/www/html
If Apache must write to uploads later:
sudo chcon -R -t httpd_sys_rw_content_t /var/www/html/uploads
(That lets the web server write into /uploads.)
7) Remove dangerous groups from christak (upload user should NOT be admin)
sudo gpasswd -d christak google-sudoers 2>/dev/null
sudo gpasswd -d christak wheel 2>/dev/null
sudo gpasswd -d christak docker 2>/dev/null
sudo gpasswd -d christak lxd 2>/dev/null
sudo gpasswd -d christak adm 2>/dev/null
Check final groups:
groups christak
You want something like:
christak : christak webgroup
8) Test with WinSCP
WinSCP settings:
- File protocol: SFTP
- Host: your server IP
- Port: 22
- User: christak
- Advanced → SSH → Authentication → choose your private key (.ppk)
✅ After login, christak should see:
- /uploads (and upload files there)
❌ Should NOT see /etc, /root, /var/log, etc.
9) Add a second upload user later (same steps, shorter)
For user2:
sudo useradd -m -s /sbin/nologin -G webgroup user2
# add /home/user2/.ssh/authorized_keys + perms
No need to change sshd_config again.
If you paste:
- the last ~30 lines of your /etc/ssh/sshd_config (just the Match block area), and
- output of ls -ld /var/www/html /var/www/html/uploads
I’ll confirm everything is perfect before you test WinSCP.
