Table of Contents

Chrooted SFTP Server based on OpenSSH

Requirements

Configuration

  1. sudo mkdir -p /home/sftproot/dev
  2. sudo touch /home/sftproot/dev/log
  3. /etc/ssh/sshd_config (changes)
    --- sshd_config.orig	2010-06-30 10:14:20.771256000 +0400
    +++ sshd_config	2012-05-05 19:43:58.403088004 +0400
    @@ -84,3 +84,8 @@
     # PAM authentication, then enable this but set PasswordAuthentication
     # and ChallengeResponseAuthentication to 'no'.
     UsePAM yes
    +
    +# SFTP Server for sftponly group
    +Match group sftponly
    +         ChrootDirectory /home/sftproot
    +         ForceCommand internal-sftp -f LOCAL7 -l INFO
  4. /etc/rsyslog.d/sftp-rsyslog.conf
    # Create an additional socket for some of the sshd chrooted users.
    $AddUnixListenSocket /home/sftproot/dev/log
    # Log internal-sftp in a separate file
    :programname, isequal, "internal-sftp" -/var/log/sftp.log
  5. /etc/logrotate.d/sftp-logrotate
    /var/log/sftp.log
    {
    	rotate 4
    	weekly
    	missingok
    	compress
    	delaycompress
    	postrotate
    		reload rsyslog >/dev/null 2>&1 || true
    	endscript
    }
  6. /usr/local/bin/create-sftp-user.sh
    #!/bin/bash -e
     
    [[ $# == 1 ]] || { echo "Usage: $0 username"; exit; }
     
    USERNAME=$1
    SFTPGROUP=sftponly
    SFTPROOT=/home/sftproot
    SHELL=/bin/false
     
    # 1. Create user with $USERNAME, $SFTPGROUP, and $SHELL
    # 2. Create home directory with access only for $USERNAME
    # 3. Set password for $USERNAME
     
    useradd -b $SFTPROOT -g $SFTPGROUP -s $SHELL $USERNAME && \
    	mkdir -m 700 $SFTPROOT/$USERNAME && \
    	chown $USERNAME $SFTPROOT/$USERNAME && \
    	passwd $USERNAME
  7. /usr/local/bin/delete-sftp-user.sh
    #!/bin/bash -e
     
    [[ $# == 1 ]] || { echo "Usage: $0 username"; exit; }
     
    USERNAME=$1
    HOMEDIR=$(eval echo ~$USERNAME)
     
    userdel $USERNAME && \
    	{ [[ -d $HOMEDIR ]] && \
    		echo "Directory $HOMEDIR wasn't removed. You can remove it manually."; }

Tested on Ubuntu 10.10