sftp only acces
===============

Sometimes we want to give some users only sftp access, without
"normal" ssh access. Below follow some notes how to set this up.

It is presumed that the system already allows pubkey authentication.

Globally, this is how it works:
* members of the group sftpusers get sftp-access
* the public key of the user is stored in /etc/ssh-pool
* each key in this pool has as filename <username>.pub  
* they have only access to there personal incoming directory

Other users, not part of the group sftpusers can still have normal ssh
access.
  
Setup directory
---------------

Create the directory /sftp
Each user will get a sub directory in here.

Create the directory /etc/ssh-pool/
The public key of each user will come in here.

Create a new group
------------------

   groupadd sftpusers

The members of this group will get sftp access.

Edit sshd_config
----------------

Make sure that the following line is commented out:

   # Subsystem sftp /usr/lib/openssh/sftp-server

and replace it with:

   Subsystem       sftp    internal-sftp

Add the following lines to it:

    Match Group sftpusers
        ChrootDirectory /sftp/%u
        ForceCommand internal-sftp
        PubkeyAuthentication yes
        AuthorizedKeysFile /etc/ssh-pool/%u.pub

Add some users
--------------
In the following the user "guestuser" is added.
Replace the name "guestuser" to the username for each user.

Create a user, and disable log-in rights:

    useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
    passwd -d  guestuser

Create an incoming directory for this user:

   mkdir -p /sftp/guestuser/incoming
   chown guestuser:sftpusers /sftp/guestuser/incoming

Add the public key of the user to the pool:

    mv theirkey.pub /etc/ssh-pool/guestuser.pub

The filename of the key must be <username>.pub

Repeat this for each user.


Last edited: $Date: 2024/03/27 19:52:21 $