====== Chrooted SFTP Server based on OpenSSH ====== ===== Requirements ===== * OpenSSH >= 5.4 ===== Configuration ===== - sudo mkdir -p /home/sftproot/dev - sudo touch /home/sftproot/dev/log - /etc/ssh/sshd_config (changes)


--- sshd_config.orig	2010-06-30 10:14:20.771256000 +0400
+++ sshd_config	2012-05-05 19:43:58.403088004 +0400
@@ -84,3 +84,8 @@
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
+
+# SFTP Server for sftponly group
+Match group sftponly
+         ChrootDirectory /home/sftproot
+         ForceCommand internal-sftp -f LOCAL7 -l INFO

- # Create an additional socket for some of the sshd chrooted users. $AddUnixListenSocket /home/sftproot/dev/log # Log internal-sftp in a separate file :programname, isequal, "internal-sftp" -/var/log/sftp.log - /var/log/sftp.log { rotate 4 weekly missingok compress delaycompress postrotate reload rsyslog >/dev/null 2>&1 || true endscript } - #!/bin/bash -e [[ $# == 1 ]] || { echo "Usage: $0 username"; exit; } USERNAME=$1 SFTPGROUP=sftponly SFTPROOT=/home/sftproot SHELL=/bin/false # 1. Create user with $USERNAME, $SFTPGROUP, and $SHELL # 2. Create home directory with access only for $USERNAME # 3. Set password for $USERNAME useradd -b $SFTPROOT -g $SFTPGROUP -s $SHELL $USERNAME && \ mkdir -m 700 $SFTPROOT/$USERNAME && \ chown $USERNAME $SFTPROOT/$USERNAME && \ passwd $USERNAME - #!/bin/bash -e [[ $# == 1 ]] || { echo "Usage: $0 username"; exit; } USERNAME=$1 HOMEDIR=$(eval echo ~$USERNAME) userdel $USERNAME && \ { [[ -d $HOMEDIR ]] && \ echo "Directory $HOMEDIR wasn't removed. You can remove it manually."; } **Tested on Ubuntu 10.10** {{tag>ubuntu sftp openssh chroot}}