Search our site for answers
Help Docs Control Panel Guides The Ultimate Guide to the InterWorx Control Panel (2025) NodeWorx Guide NodeWorx Security Using SSH keys for SFTP users with mod_sftp (InterWorx)

Using SSH keys for SFTP users with mod_sftp (InterWorx)

Secure SFTP on SiteWorx: Set up SSH key auth with `mod_sftp`. Enhance security & automate logins. Guide covers key gen, config & port 24.
Control Panel InterWorx SiteWorx
8 min read

Secure File Transfer Protocol (SFTP) allows you to securely transfer files to and from your server. Using SSH keys instead of passwords for SFTP authentication enhances security by providing a more robust and complex authentication method. This guide will walk you through setting up an SFTP user in SiteWorx to use SSH key authentication with mod_sftp.

Key Benefits of Using SSH Keys for SFTP:

  • Enhanced Security: SSH keys are significantly more difficult to brute-force compared to passwords.
  • Automation: Keys facilitate automated scripts and processes that require SFTP access without needing to embed passwords.
  • Convenience: Once set up, logging in with an SSH key can be quicker than typing a password, especially if you use an SSH agent.

This process involves creating a dedicated directory for the SFTP user, generating an SSH key pair, configuring the server to accept the public key, and then creating the SFTP user in SiteWorx.

Configuration steps

Follow these steps carefully to configure your SFTP user with SSH key authentication.

1. Create the SFTP user’s directory and .sftp subdirectory

First, you’ll need to create the home directory for your SFTP user and a special .sftp subdirectory within it. This .sftp directory will store the authorized public keys.

  1. Log in to your server via SSH as the root user or a user with sudo privileges.
  2. Navigate to the parent directory where you want to create the SFTP user’s home directory. For example, if your SiteWorx user’s home is /home/siteworxuser/yourdomain.com/, you might create the SFTP user’s directory there.
  3. Create the SFTP user’s home directory. Let’s call it sftp_user_directory for this example: mkdir /home/siteworxuser/yourdomain.com/sftp_user_directory
  4. Switch to this new directory: cd /home/siteworxuser/yourdomain.com/sftp_user_directory
  5. Create the .sftp directory: mkdir .sftp
  6. Set the correct permissions for the .sftp directory. These permissions are crucial for security and functionality. The mod_sftp module requires specific permissions. chmod 700 .sftp
    • Why 700? This permission (drwx------) means only the owner of the directory (which will be the SiteWorx user) has read, write, and execute permissions. This is essential to protect the authorized_keys file.

2. Generate an SSH key pair

You can generate an SSH key pair on your local workstation or directly on the server. For security, it’s often recommended to generate it on your local machine and then transfer the public key. However, if generating on the server, ensure you secure the private key immediately.

The following command generates a robust 4096-bit RSA key.

  1. If generating on the server (ensure you are in a secure location or the user’s intended home directory), run: ssh-keygen -t rsa -b 4096 -C "sftp_username@yourdomain.com-$(date +%F)"
    • Replace sftp_username@yourdomain.com with the actual SFTP username you plan to use or a descriptive comment. The $(date +%F) part adds the current date to the comment, which can be helpful for tracking.
    • When prompted, you can choose to enter a passphrase for the private key. This adds an extra layer of security – even if someone gains access to your private key, they still need the passphrase.
    • By default, this will create two files: id_rsa (the private key) and id_rsa.pub (the public key). Rename them descriptively if you are managing multiple keys. For this guide, let’s assume the public key is named sftp_user.pub and the private key is sftp_user.key.

3. Convert and add the public key to authorized_keys

mod_sftp (which uses ProFTPD’s SFTP module) requires the public key to be in RFC4716 format.

  1. Ensure you are in the directory where you generated the keys, or provide the correct path to your public key file (sftp_user.pub in our example).
  2. Convert the OpenSSH public key to RFC4716 format and append it to the authorized_keys file within the .sftp directory you created earlier: ssh-keygen -e -f /path/to/your/sftp_user.pub >> /home/siteworxuser/yourdomain.com/sftp_user_directory/.sftp/authorized_keys
    • Important: Make sure to use >> (append) and not > (overwrite), especially if you plan to add multiple keys to this file.
    • Replace /path/to/your/sftp_user.pub with the actual path to the public key file you generated.
    • Replace /home/siteworxuser/yourdomain.com/sftp_user_directory/ with the actual path to the SFTP user’s directory.

4. Set permissions for authorized_keys

The authorized_keys file also needs strict permissions.

  1. Set the permissions for the authorized_keys file: chmod 600 /home/siteworxuser/yourdomain.com/sftp_user_directory/.sftp/authorized_keys
    • Why 600? This permission (-rw-------) means only the owner (the SiteWorx user) has read and write access to this file. No other users can read it, and no one can execute it.

5. Create the FTP user in SiteWorx

Now, create the FTP user through your SiteWorx control panel.

  1. Log in to your SiteWorx account.
  2. Navigate to Hosting Features > FTP Accounts.
  3. Click Add FTP Account.
  4. Enter the desired FTP Username (e.g., sftp_user).
  5. Enter a strong password. While you’ll be using SSH key authentication, SiteWorx requires a password to be set for the FTP account. This password will not be used for your key-based SFTP connections if mod_sftp is configured to prioritize key authentication.
  6. For the Home Directory, specify the full path to the directory you created in Step 1 (e.g., /home/siteworxuser/yourdomain.com/sftp_user_directory). Ensure this path is accurate.
  7. Click Add.

6. Secure and transfer the private key

If you generated the SSH key pair on the server, you must now securely transfer the private key (e.g., sftp_user.key) to your local workstation.

  1. Use scp or another secure method to download the private key.
  2. Crucially, delete the private key from the server after you have securely transferred it. The private key should only exist on the client machine(s) that will be used to connect. Leaving it on the server poses a security risk. # After confirming transfer: rm /path/to/your/sftp_user.key

7. Connect using SFTP (Port 24)

mod_sftp on InterWorx systems typically runs on port 24, not the standard SSH port 22.

  • Username Format: The SFTP username will be in the format ftp_username@yourdomain.com.
  • Hostname: This will be your server’s hostname or IP address.

You can test the connection using an SFTP client like FileZilla, Cyberduck, WinSCP, or the command-line sftp client.

Command-Line example:

Assuming your private key is stored at ~/.ssh/sftp_user.key on your local machine:

sftp -P 24 -i ~/.ssh/sftp_user.key sftp_username@yourdomain.com@your_server_hostname_or_ip
  • -P 24: Specifies port 24.
  • -i ~/.ssh/sftp_user.key: Specifies the path to your private SSH key.
  • sftp_username@yourdomain.com: Your full SFTP username as created in SiteWorx, including the domain.
  • your_server_hostname_or_ip: The hostname or IP address of your Liquid Web server.

If the connection is successful, you’ll be logged into the SFTP user’s designated home directory.

Connected to your_server_hostname_or_ip.
sftp> ls
# You should see the contents of sftp_user_directory, if any.
sftp> quit

Troubleshooting tips

If you encounter issues, here are a few things to check:

  • Port Number: Ensure you are connecting on port 24. This is the most common point of confusion.
  • SFTP Username Format: Double-check that you are using the full SFTP username, including the @yourdomain.com part (e.g., sftp_user@example.com).
  • Permissions: Incorrect file or directory permissions are a primary cause of SFTP key authentication failures. Verify:
    • SFTP user’s home directory (e.g., sftp_user_directory): Typically 755 (drwxr-xr-x) or as set by SiteWorx. The owner should be the SiteWorx master user.
    • .sftp directory: Must be 700 (drwx------), owned by the SiteWorx master user.
    • .sftp/authorized_keys file: Must be 600 (-rw-------), owned by the SiteWorx master user.
  • Public Key Format: The public key in authorized_keys must be in RFC4716 format. If you manually pasted a standard OpenSSH public key, it won’t work. Use the ssh-keygen -e -f your_public_key_file command to convert it.
  • Private Key:
    • Ensure the private key on your local machine corresponds to the public key in authorized_keys.
    • The private key file on your local machine should have restrictive permissions (e.g., 600 or 400).
  • SiteWorx User Configuration: Confirm that the FTP user in SiteWorx is correctly pointing to the SFTP home directory you prepared.
  • Log Files: The ProFTPD SFTP log file can provide valuable clues. Check the following log file on your server: /var/log/proftpd/sftp.log Look for entries related to your connection attempts. Error messages here can often pinpoint the issue.
  • SELinux/AppArmor: If your server uses SELinux or AppArmor, ensure there are no policies blocking ProFTPD’s SFTP operations or access to the user directories/keys. This is less common on typical InterWorx setups but can be a factor on highly customized systems.

If you’ve gone through these steps and troubleshooting tips and are still facing issues, please don’t hesitate to contact our support team for assistance!

Was this article helpful?