• View
• Edit
• History
• Print

SFTP

Note that this requires OpenSSH 5.4+.

In order for the umask to work, it is necessary to set it both in the -u flag in /etc/ssh/sshd_config AND in /etc/pam.d/sshd.

Lines added to /etc/pam.d/sshd:

# Setting UMASK for all ssh based connections (ssh, sftp, scp)
session optional pam_umask.so umask=0007

/etc/ssh/sshd_config

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp -u 0007

...

Match group sftponly

         ChrootDirectory /home/%u
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp

---

sudo groupadd sftponly

sudo useradd -d /home/someone someone

sudo passwd someone

sudo usermod -g sftponly someone

sudo usermod -s /bin/false user

Create home dir (/home/someone). Create something under the home dir (e.g., incoming).

sudo chown root.root /home/someone

sudo chown someone.sftponly /home/someone/incoming

sudo usermod -d / someone

---

addsftpuser.sh

#!/bin/bash
# Make sure only root can run our script
if [[ $EUID -ne 0 ]]; then
    echo "This script must be run as root" 1>&2
    exit 1
fi
# Make sure we have command-line parameters
#
if [ "$1" = "" ] ; then
  echo ""
  echo "Usage: `basename $0` username"
  echo ""
  exit 1
fi

useradd -d /home/sftp $1
usermod -g sftponly $1
usermod -s /bin/false $1
usermod -d / $1
sudo passwd $1

---

References

http://blog.markvdb.be/2009/01/sftp-on-ubuntu-and-debian-in-9-easy.html

http://www.debian-administration.org/articles/590

http://shapeshed.com/journal/chroot_sftp_users_on_ubuntu_intrepid/

http://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny

http://serverfault.com/questions/228396/how-to-setup-sshs-umask-for-all-type-of-connections

Getting OpenSSH 5.5 on Ubuntu 10.04 LTS