Sometimes we want to give some users only sftp access, without
"normal" ssh access. Below follow some notes how to set this up.
It is presumed that the system already allows pubkey authentication.
Globally, this is how it works:
* members of the group sftpusers get sftp-access
* the public key of the user is stored in /etc/ssh-pool
* each key in this pool has as filename <username>.pub
* they have only access to there personal incoming directory
Other users, not part of the group sftpusers can still have normal ssh
access.
Setup directory
---------------
Create the directory /sftp
Each user will get a sub directory in here.
Create the directory /etc/ssh-pool/
The public key of each user will come in here.
Create a new group
------------------
groupadd sftpusers
The members of this group will get sftp access.
Edit sshd_config
----------------
Make sure that the following line is commented out:
# Subsystem sftp /usr/lib/openssh/sftp-server
and replace it with:
Subsystem sftp internal-sftp
Add the following lines to it:
Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftp
PubkeyAuthentication yes
AuthorizedKeysFile /etc/ssh-pool/%u.pub
Add some users
--------------
In the following the user "guestuser" is added.
Replace the name "guestuser" to the username for each user.