--- sshd_config.orig 2010-06-30 10:14:20.771256000 +0400 +++ sshd_config 2012-05-05 19:43:58.403088004 +0400 @@ -84,3 +84,8 @@ # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes + +# SFTP Server for sftponly group +Match group sftponly + ChrootDirectory /home/sftproot + ForceCommand internal-sftp -f LOCAL7 -l INFO
# Create an additional socket for some of the sshd chrooted users. $AddUnixListenSocket /home/sftproot/dev/log # Log internal-sftp in a separate file :programname, isequal, "internal-sftp" -/var/log/sftp.log
/var/log/sftp.log
{
rotate 4
weekly
missingok
compress
delaycompress
postrotate
reload rsyslog >/dev/null 2>&1 || true
endscript
}
#!/bin/bash -e [[ $# == 1 ]] || { echo "Usage: $0 username"; exit; } USERNAME=$1 SFTPGROUP=sftponly SFTPROOT=/home/sftproot SHELL=/bin/false # 1. Create user with $USERNAME, $SFTPGROUP, and $SHELL # 2. Create home directory with access only for $USERNAME # 3. Set password for $USERNAME useradd -b $SFTPROOT -g $SFTPGROUP -s $SHELL $USERNAME && \ mkdir -m 700 $SFTPROOT/$USERNAME && \ chown $USERNAME $SFTPROOT/$USERNAME && \ passwd $USERNAME
#!/bin/bash -e [[ $# == 1 ]] || { echo "Usage: $0 username"; exit; } USERNAME=$1 HOMEDIR=$(eval echo ~$USERNAME) userdel $USERNAME && \ { [[ -d $HOMEDIR ]] && \ echo "Directory $HOMEDIR wasn't removed. You can remove it manually."; }
Tested on Ubuntu 10.10