Credentials and permissions
To create more credentials to use and access your storage:
- Click + Add credentials.
- Select a username. The username must be unique service-wide and at least 10 characters long. We recommend to leave it blank and have SFTP To Go generate a unique name for the user.
- This is an optional step: Select a home directory for the credentials. By default, each credential only has access to its own home directory (
/home/<username>). You can change the credentials' home directory to have multiple credentials access the same directory. The users are chrooted to this directory, meaning that this directory acts as an isolated storage for them. They will not have access to any parent or sibling directories.
- Select the level of permissions accessible for the new user. By default, the user has read-only access to their home directory. For more information on the different permissionss, see the table below.
- Choose a nickname for the credentials (optional). This shows up in the UI solely as a friendly user name.
- Click Add credentials. The user will then be assigned a random password (and username, if left empty).
|Read-only||List files and directories|
|Write-only||List files and directories|
Remove empty directories
Put files (no overwrite)
|Read-Write||List files and directories|
|List files and directories|
Access all directories (i.e. root dir is the account's root directory)
Editing user credentials
You may edit existing credentials by clicking the menu button (...) for the particular user you wish to edit and then selecting Edit credentials from the menu. You may change the username, home directory, user's permissions, and the nickname.
Rotating user passwords
To rotate passwords, click the menu button (...) for the specific user and then select Rotate Password in the menu. A new password will be generated for the user and you'll be able to immediately copy it from the dashboard.
Deactivating and reactivating users
You may want to temporarily deactivate users so they won't be able to connect to your cloud storage. To do this, click the menu button (...) for the specific user and then select Deactivate credentials in the menu.
This will not affect open sessions or any of the user's files (i.e. they will be kept intact within your storage).
To reactivate users, click the menu button (...) for a deactivated user (displayed with a striped background) and then select Activate credentials.
Adding and removing public SSH keys
You can add public SSH keys to use with a username instead of a password. To import public SSH keys for this purpose, complete the following:
- For the specific user you wish to add keys to, click Import SSH key.
- Generate a new key pair or copy an existing public key (usually ending with
.pub). You can generate a new key pair using
ssh-keygen -t rsaon Linux/Mac, or using PuTTYgen or openssh on Windows. Make sure you generate a new RSA key.
- Paste the public key. Make sure it begins with
- Click Import SSH key
To remove an SSH key from a user, click the X next to the key and confirm deletion.
Editing inbound network rules for users
Inbound network rules define IP address ranges that a user can connect to your storage within. They can be defined at the organization level (for all users) or at the user level (for specific users). The organization level and user level rules are combined with a single list with which an incoming connection is validated. This means that if a client's IP address is included in either the organization or the user list, it will be assumed valid.
By default, the organization inbound network rules contain a single rule allowing access from any IP address to any protocol (SFTP or FTPS). To restrict access, you will have to remove this rule or edit it to use a restrictive CIDR (Classless Inter-Domain Routing - an IP range).
Editing inbound network rules is only available within certain plans. Read more about our different plans here
To add user-level inbound network rules, please complete the following steps:
- Under the specific user, click Add inbound rule.
- Select the protocols to which you want to allow access to.
- Enter the CIDR or IP range you want to allow access from.
- Optionally add a description to help you identify the rules later.
- Click Add inbound rule.
To edit, disable, or delete a rule, click the menu button (...) next to the rule and select the action you'd like to perform.