SFTP
sudo vim /etc/ssh/sshd_config
Changes to make to sshd_config (notes after this section):
ChallengeResponseAuthentication yes
# Subsystem sftp /usr/lib/openssh/sftp-server
# http://www.debian-administration.org/articles/590
Subsystem sftp internal-sftp
# http://knowledgelayer.softlayer.com/learning/how-do-i-permit-specific-users-ssh-access
AllowGroups sshlogin sftponly
# http://serverfault.com/questions/154957/set-up-sftp-to-use-password-but-ssh-not-to-use-password
Match Group sftponly
PasswordAuthentication yes
ChrootDirectory /srv/sftp/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Match Group sshlogin
PasswordAuthentication no
Note
I had to use
ChallengeResponseAuthenticationwhen using port forwarding through my router.Comment out
sftp-serverand useinternal-sftpinstead.A user must be in the
sshlogingroup if they want to usessh.A user must be in the
sftponlygroup if they want to usesftp. A user shouldn’t be in both groups.Matchblocks must be at the end of the file.I don’t want standard
sshuser to be able to login using passwords.
To check the ssh configuration:
sshd -t
I think we can ignore the Could not load host key errors?
sudo addgroup sshlogin
sudo addgroup sftponly
For all the users who need access to ssh:
sudo adduser patrick sshlogin
Set-up folders for sftp:
sudo mkdir /srv/sftp/
sudo chown root:root /srv /srv/sftp
sudo chmod 755 /srv /srv/sftp
For users who need access to sftp (only):
sudo adduser username sftponly
# sftp folders
sudo mkdir /srv/sftp/username
sudo chown root:root /srv/sftp/username/
sudo chmod 755 /srv/sftp/username/
# upload folder
sudo mkdir /srv/sftp/username/upload
sudo chown username:username /srv/sftp/username/upload/
# modify an existing user
sudo usermod -g sftponly -d /srv/sftp/username -s /sbin/nologin username
Note: The user can only upload files to the upload folder (or a folder
where they have write permission). I don’t think sftp will be happy if we
change permissions on the /srv/sftp/username folder.