SFTP Only SSH Server - If you run a webserver and need FTP access to your webserver, sftp is the way to go. FTP sends everything (password included) in plain text. Not very secure. sftp (secure FTP) encrypts everything making for a much more secure FTP server. In this tutorial, I will show you how to create an sftp only server for secure access to your website.
Configure SSH to use sftp only mode
We will start by editing /etc/ssh/sshd_config, so open up the file and find the line
#Subsystem sftp /opt/openssh/libexec/sftp-server
Make sure it is commented out, and replace it with this line.
Subsystem sftp internal-sftp
Next, we want to add the following lines to the end of the file
Match Group sftponly ChrootDirectory /var/www/htdocs/users ForceCommand internal-sftp -d %u AllowTcpForwarding no
Start SSH and enable it to run at boot
Now you can start your sftp only SSH server
# rcctl enable sshd # rcctl start sshd
Add users who can use the sftp only server
Next, we want to add an sftponly group
# groupadd sftponly
Then we will add users to the group sftponly
# usermod -g sftponly username
Next, we need to create a users directory
# mkdir /var/www/htdocs/users
Create directories and set permissions
Finally, we need to create user directories under /var/www/htdocs/users, change ownership and chmod 700
# mkdir /var/www/htdocs/users/username # chown username:sftponly /var/www/htdocs/users/username # chmod 700 /var/www/htdocs/users/username
Now when (user in sftponly group) sftp's into the server, they will be in the chroot jail you specified. If they try to SSH into the server, they will get the following message and will be denied access to a shell. Non sftponly users will still be able to SSH in.
# ssh user@10.0.0.157 This service allows sftp connections only.
That's it! Now you can have secure FTP access for your users chrooted to their respective webserver directories.
Powered by OpenBSD httpd on a Raspberry Pi | This website is IPv6 enabled