sftp only acces =============== Sometimes we want to give some users only sftp access, without "normal" ssh access. Below follow some notes how to set this up. It is presumed that the system already allows pubkey authentication. Globally, this is how it works: * members of the group sftpusers get sftp-access * the public key of the user is stored in /etc/ssh-pool * each key in this pool has as filename <username>.pub * they have only access to there personal incoming directory Other users, not part of the group sftpusers can still have normal ssh access. Setup directory --------------- Create the directory /sftp Each user will get a sub directory in here. Create the directory /etc/ssh-pool/ The public key of each user will come in here. Create a new group ------------------ groupadd sftpusers The members of this group will get sftp access. Edit sshd_config ---------------- Make sure that the following line is commented out: # Subsystem sftp /usr/lib/openssh/sftp-server and replace it with: Subsystem sftp internal-sftp Add the following lines to it: Match Group sftpusers ChrootDirectory /sftp/%u ForceCommand internal-sftp PubkeyAuthentication yes AuthorizedKeysFile /etc/ssh-pool/%u.pub Add some users -------------- In the following the user "guestuser" is added. Replace the name "guestuser" to the username for each user. Create a user, and disable log-in rights: useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser passwd -d guestuser Create an incoming directory for this user: mkdir -p /sftp/guestuser/incoming chown guestuser:sftpusers /sftp/guestuser/incoming Add the public key of the user to the pool: mv theirkey.pub /etc/ssh-pool/guestuser.pub The filename of the key must be <username>.pub Repeat this for each user. Last edited: $Date: 2024/03/27 19:52:21 $