Create a sftp-only account
In this post I described how to create a personal file hosting service for backup purposes - that case refers to an asynchronous scenario: files are transferred when you run the script indeed. Now let's see how to create a special no-login account that has only the ability to use sftp (of course, you can mount that home directory later, using sshfs in order to obtain a remote read-write storage).
The following commands prepare a sftp-only account; they seem a bit strange because they change the ownership of the home directory to root, but don’t worry and go ahead, of course “they perfectly work on my PC” :-)
adduser USERNAME chown root:root /home/USERNAME/ chmod 755 /home/USERNAME/ cd /home/USERNAME/ chown USERNAME:USERNAME *
Now, edit /etc/ssh/sshd_config, commenting “Subsystem sftp /usr/lib/openssh/sftp-server”
#Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp Match User USERNAME AllowTcpForwarding no X11Forwarding no ChrootDirectory %h ForceCommand internal-sftp
Then restart ssh service to finish the job:
service ssh restart
Important note: in this way the user will not be able to browse the filesystem and this a very valuable security feature, because he/she will not understand anything about the hosting OS; the user will not have write grants in the home directory (root owns it), anyway you can create a subdirectory for these purposes:
mkdir uploads chown USERNAME:USERNAME uploads
if everything works properly, as the user will no longer be able to log in anymore, you can remove the files like .profile, .bash*, .cache, and so on.
Posted on 2019-06-21
Copyright © 2019 Marcello Zaniboni