There are many guides on creating SFTP-only accounts, however I found that most of them are outdated and do not make use of the features of OpenSSH. In this HOWTO I describe how I setup an SFTP account to allow a group of users to collaboratively maintain a website.
Requirements
For my SFTP account I had the following requirements:
- Support public key authentication;
- Use a chroot environment;
- Enforce SFTP only.
Configuration
First of all we need to create a group that is used to match the SFTP only users:
sudo groupadd -r sftponly
Now our users need to be made member of the sftponly group, when you create a new user you should use the -G sftponly option on the useradd command:
sudo useradd -m -G sftponly -b /home -s /bin/sh -c 'SFTP account for username' username
If you turn an existing user into an sftponly user you should user the options -a -G sftponly to the usermod command:
sudo usermod -a -G sftponly username
We also need to create the directory into which we will chroot our users, this directory must not be writeable for any of the chroot users, so keep root as owner:
sudo mkdir -p /path/to/chroot sudo chmod 0755 /path/to/chroot
For each user we need to create a directory into which they can write:
sudo mkdir -p /path/to/chroot/username sudo chown username:username /path/to/chroot/username sudo chmod 0700 /path/to/chroot/username
Next, you need to edit the /etc/ssh/sshd_config SSHD configuration and add a new Match to enforce sftp for members of the sftponly group.
Match Group sftponly ForceCommand internal-sftp ChrootDirectory /path/to/chroot PubkeyAuthentication yes
Finally we need to install the user’s public key in the home directory of the user. The public key is generated with the command ssh-keygen, and will be found in the home directory (~/.ssh/id_rsa.pub) of the user on his own computer. This file needs to be copied into the file containing the authorized keys on the server (~/.ssh/authorized_keys).
sudo mkdir ~username/.ssh sudo chown username:username ~username/.ssh sudo chmod 0700 ~username/.ssh sudo cat id_rsa.pub >> ~username/.ssh/authorized_keys sudo chown username:username ~username/.ssh/authorized_keys
Conclusions
With these steps I created a highly secured environment that allows users to upload files. This setup has significant advantages over old-fashioned FTP accounts. It is more secure than the plain text authentication of traditional FTP; it is more firewall friendly since it will only use a single port (22/tcp) and it does away with password authentication, which is one mayor risks on the internet.