How to manage users with the CLI
This guide walks through creating and modifying user accounts with the burusftp command line. For conceptual background, see Authentication and File Access & Permissions.
Prefer a graphical interface?
The same settings can be configured through the Web Administration interface.
The relevant commands are:
burusftp user add— create a new user.burusftp user update— modify an existing user.burusftp user list,user inspect,user delete— list, inspect, and delete users.burusftp user key add,user key delete— manage public keys.burusftp path,path list,path delete— manage virtual path mappings.
Most of the settings covered below can be bundled into the initial user add call or applied later with user update. Each section notes the relevant flags for both.
Create a user
The minimal form creates a bare user with just a username:
burusftp user add elaineYou'll typically pair it with at least one authentication flag and a root path mapping — the following sections show both the creation-time shortcuts and how to apply the same settings later.
Enable password authentication
Local
Use -p to be prompted for the password and store a locally-hashed copy. This sets password-auth to required and password-auth-mode to local.
# During creation
burusftp user add elaine -p
# On an existing user
burusftp user update elaine -pAvoid plain-text passwords on the command line
The --password "<value>" form exists but should not be used in interactive shells or scripts that get logged. Prefer -p (interactive prompt) or read the password from a secure source. Bash and zsh can be configured (HISTCONTROL=ignorespace / setopt hist_ignore_space) to skip commands that start with a leading space from shell history.
Import an existing password hash
To migrate users from another system, import their pre-computed hashes with --password-hash. Supported algorithms are SHA-1, SHA-2, and MD5.
burusftp user update elaine --password-hash salt-first,0x1055d3e698d289f2af8663725127bd4b,0xa0392fedThe salt-first / password-first keyword tells the server how the original system concatenated the salt and password before hashing. See the --password-hash reference for the full format.
Windows
--win-account links the Buru user to a local Windows or Active Directory account. It sets password-auth-mode to windowsNetwork, password-auth to required, and impersonate to on.
# During creation
burusftp user add elaine --win-account "MI\elaine"
# On an existing user
burusftp user update elaine --win-account "MI\elaine"To specify the logon type:
burusftp user update elaine --password-auth-mode windowsInteractiveTo turn off impersonation while keeping Windows password verification:
burusftp user update elaine --impersonate offEnable public key authentication
The simplest way to associate a key during user creation is --keys, which accepts a file path or an inline key string and automatically sets key-auth to required:
# From a file
burusftp user add elaine --keys "C:\keys\elaine.pub"
# Inline
burusftp user add elaine --keys "ssh-ed25519 AAAAC3...wondiGXo6J"To add a key to an existing user, use burusftp user key add:
# From a file
burusftp user key add -u elaine -f "C:\keys\elaine.pub"
# From standard input
type "C:\keys\elaine.pub" | burusftp user key add -u elaine -f -
# Inline, with a comment
burusftp user key add -u elaine -i "AAAAC3NzaC1lZDI1NTE5..." -c "Work laptop"You can associate any number of keys with a single account. To remove keys, use burusftp user update --remove-keys with a fingerprint prefix, an algorithm name (e.g. rsa), or * for all.
Require both password and key (multi-factor)
Set both authentication methods to required on the user:
burusftp user update elaine --password-auth required --key-auth requiredThe user will then have to present a valid password and a valid public key on every login. See Combining methods for the conceptual details.
Configure path mappings
--root-dir on user add creates the root mapping (/). For everything else, use burusftp path.
The flags are Read, Write, Delete, and All. Combine them as needed; use --fset "" for no access.
# Read/write but no delete
burusftp path -u elaine -v /uploads -p "D:\Data\Uploads" --fset RW
# Read-only shared folder
burusftp path -u elaine -v /shared -p "\\dfs\shared" --fset R
# Grant full access on the existing root mapping
burusftp path -u elaine -v / --fset A
# Replace an existing mapping (the path already exists)
burusftp path -u elaine -v /uploads -p "E:\NewUploads" --fset RW -fTo list or delete mappings:
burusftp path list -u elaine
burusftp path delete -u elaine -v /uploadsDeleting a mapping only revokes the user's access — the files on disk are untouched.
No root mapping
A user with no root (/) mapping sees an empty root after login and can only enter explicitly mapped subdirectories.
Grant Web Administration access
Enable Web Admin access with --web-admin enable, either during creation or on an existing user:
# During creation
burusftp user add elaine -p --web-admin enable
# On an existing user
burusftp user update elaine --web-admin enableWeb Admin sign-in always uses a password; public key authentication cannot be used to access Web Administration.
To create a Web Admin-only user — one that can administer the server but has no SFTP or SSH access — omit --root-dir and set --shell-type none:
burusftp user add admin -p --web-admin enable --shell-type noneInspect, lock, and delete users
# List all users
burusftp user list
# Show full details for one user (mappings, keys, auth settings, ...)
burusftp user inspect elaine
# Lock a user indefinitely
burusftp user update elaine --lock
# Lock for a fixed period
burusftp user update elaine --lock 7d
burusftp user update elaine --lock "2026-12-31 23:59:00"
# Unlock and clear the failed login counter
burusftp user update elaine --unlock
# Delete a user (files on disk are not touched)
burusftp user delete elaine