RSA SFTP Chroot w/ Shell access block.

TL_DR; title: give user SFTP access with jail to a single folder.

su -
groupadd sftp
mkdir -p /SFTP/chroot
chown root:root /SFTP/chroot
vim /etc/ssh/sshd_config

Find line PermitRootLogin and explore further on:

#PermitRootLogin prohibit-password
PermitRootLogin no

StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes

AuthorizedKeysFile      %h/.ssh/authorized_keys

…and on…

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
PasswordAuthentication no

…Untill you come near to the end of the file and comment out the line…

#Subsystem sftp /usr/lib/openssh/sftp-server

…And paste right next to it…

Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory /SFTP/chroot
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no

…save, close, run…

systemctl service sshd restart

Then, iteratively for each of the user you want to create…

• Exec commands:

adduser --ingroup sftp --shell /bin/false user
mkdir /SFTP/chroot/user
chown user:sftp /SFTP/chroot/user/
chmod 700 /SFTP/chroot/user/
sudo -u user ssh-keygen -t rsa
sudo -u user cat /home/user/.ssh/id_rsa

• Backup id_rsa file somewhere to your own drive…

sudo -u user cat /home/user/.ssh/id_rsa.pub

• Copy the contents…

sudo -u user vim /home/user/.ssh/authorized_keys

• paste contents, save, close…

• On your coputer use PuTTYGen to create .PPK file for each user….

• Send the user the ppk file and applicable SFTP client (FileZilaPortable, for example)

Done!

Adapted from: Source 1, Source 2, Source 3

nerd corner

Wannabe automatisation script* (find-replace ‘user’ with username of your choice, or shell parameter… ;-) )

adduser --ingroup sftp --shell /bin/false user -p 'R4nd0mP4ssw0rd12352752948375'
mkdir /SFTP/chroot/user
chown user:sftp /SFTP/chroot/user/
chmod 700 /SFTP/chroot/user/
sudo -u user ssh-keygen -f /home/user/.ssh/id_rsa -t rsa -N ''
sudo -u user cat /home/user/.ssh/id_rsa >> /root/SFTP_users/id_rsa_user
sudo -u user cat /home/user/.ssh/id_rsa.pub >> /root/SFTP_usersi/id_rsa_user.pub
cat /root/SFTP_users/id_rsa_user.pub | sudo -u user tee /home/user/.ssh/authorized_keys

“Super random password” because reasons ( - if you use * for password, you cannot SFTP in)