Table of Contents
Chrooted SFTP Server based on OpenSSH
Requirements
- OpenSSH >= 5.4
Configuration
- sudo mkdir -p /home/sftproot/dev
- sudo touch /home/sftproot/dev/log
- /etc/ssh/sshd_config (changes)
--- sshd_config.orig 2010-06-30 10:14:20.771256000 +0400 +++ sshd_config 2012-05-05 19:43:58.403088004 +0400 @@ -84,3 +84,8 @@ # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes + +# SFTP Server for sftponly group +Match group sftponly + ChrootDirectory /home/sftproot + ForceCommand internal-sftp -f LOCAL7 -l INFO
- /etc/rsyslog.d/sftp-rsyslog.conf
# Create an additional socket for some of the sshd chrooted users. $AddUnixListenSocket /home/sftproot/dev/log # Log internal-sftp in a separate file :programname, isequal, "internal-sftp" -/var/log/sftp.log
- /etc/logrotate.d/sftp-logrotate
/var/log/sftp.log { rotate 4 weekly missingok compress delaycompress postrotate reload rsyslog >/dev/null 2>&1 || true endscript }
- /usr/local/bin/create-sftp-user.sh
#!/bin/bash -e [[ $# == 1 ]] || { echo "Usage: $0 username"; exit; } USERNAME=$1 SFTPGROUP=sftponly SFTPROOT=/home/sftproot SHELL=/bin/false # 1. Create user with $USERNAME, $SFTPGROUP, and $SHELL # 2. Create home directory with access only for $USERNAME # 3. Set password for $USERNAME useradd -b $SFTPROOT -g $SFTPGROUP -s $SHELL $USERNAME && \ mkdir -m 700 $SFTPROOT/$USERNAME && \ chown $USERNAME $SFTPROOT/$USERNAME && \ passwd $USERNAME
- /usr/local/bin/delete-sftp-user.sh
#!/bin/bash -e [[ $# == 1 ]] || { echo "Usage: $0 username"; exit; } USERNAME=$1 HOMEDIR=$(eval echo ~$USERNAME) userdel $USERNAME && \ { [[ -d $HOMEDIR ]] && \ echo "Directory $HOMEDIR wasn't removed. You can remove it manually."; }
Tested on Ubuntu 10.10