Author Topic: SFTP user creation  (Read 607 times)


  • Green Belt
  • *****
  • Posts: 352
  • Karma: +0/-0
SFTP user creation
« on: September 01, 2013, 07:18:35 AM »

SFTP user creation

In order to create the user to a directory specificaly to allow ChrootDirectory functionality on a per-user basis, employ a conditionally-executed sshd configuration (using the "Match" keyword) in the sshd_config file. This example will use a Match block based on group membership, but other criteria may used in a Match block to determine which users are restricted to the ChrootDirectory (see "man sshd_config" for details).
1. Edit sshd_config
* Comment out the original Subsystem entry for sftp and replace it with a new entry:

#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Add the following at the end of the /etc/ssh/sshd_config file. NOTE: Persons not in this group can still log in to the host via ssh and otherwise interact with openssh normally.

Match Group sftponly
ChrootDirectory /chroots/%u
AllowTcpForwarding no
ForceCommand internal-sftp
X11Forwarding no
Create a new group to add sftp-only users to (users in this group will not have access to ssh/scp and sftp access will be limited to their chrooted environment.)

# groupadd sftponly
Configure or create the accounts of any sftp-only users. NOTE: the specified home directory is relative to the ChrootDirectory.

# usermod -d /myhome -g sftponly -s /bin/false user

# useradd -d /myhome -M -g sftponly -s /bin/false user
Create the user's chroot environment and configure directory permissions. Ensure that this entire path is owned by root and only writable by root.

# mkdir -p /chroots/user ; chmod -R 755 /chroots/user
NOTE: In this case, chroot directory is set to /chroots/%u ( %u is replaced by the username of that user) so that each user will have an individual chroot environment. Users will not be able to see other directories located beneath the root of their chrooted environment.
5. Create the user's actual home directory under the ChrootDirectory and chown it to the user and group created/used in Step 3 (above).

# mkdir /chroots/user/myhome ; chown user:sftponly /chroots/user/myhome
NOTE: The permission of the user chroot directory that is, /chroots/user/myhome should be 0755.

Restart sshd.
Repeat steps 3-5 for any additional users you wish to create or add to the sftponly group.

Saroop Datasoft