Chroot
Users with sftp access without ssh access (for file hosting)
-
Do one time setup
$ doas mkdir /var/www/OrangeShare/ $ doas groupadd sftponly
Edit your httpd config to set "/OrangeShare" as the root location.
Add this into sshd_config
Subsystem sftp internal-sftp
Match Group sftponly
PasswordAuthentication yes
ForceCommand internal-sftp
ChrootDirectory /var/www/OrangeShare/%25u
AllowTcpForwarding no
AllowAgentForwarding no
PermitTunnel no
PermitTTY no
X11Forwarding no
Save script for adding new user
#!/bin/ksh
# add user
doas adduser
# add user to sftponly group, otherwise they will have full ssh access
doas usermod -g sftponly $1
# make user's directory
doas mkdir /var/www/OrangeShare/$1
doas mkdir /var/www/OrangeShare/$1/pub
doas chown $1:$1 /var/www/OrangeShare/$1/pub
# set the user's password
doas passwd $1
- For each new user
$ ksh newuser.sh usernameHere
Then email to the user their credentials, from either your personal email or from your team email if it has one.
Sources:
http://undeadly.org/cgi?action=article&sid=20080220110039
https://man.openbsd.org/sftp-server
https://unix.stackexchange.com/questions/503312/is-it-possible-to-grant-users-sftp-access-without-shell-access-if-yes-how-is-i