hisnameisjimmy · December 11, 2017 20:14
diff --git a/sftp-chroot-server-setup.sh b/sftp-chroot-server-setup.sh
 # Add the following to the bottom of /etc/ssh/sshd_config
 # This makes it so any user with the group sftponly only has access to 
 # their chrooted home directory and forces internal-sftp. In this situation, 
 # we're going to make the home directory the chroot. We'll also 
 # comment out PasswordAuthentication so that we don't run into issues there.
 # This setup will prevent shell access as long as you use the script over here:
 # https://gist.github.com/hisnameisjimmy/a3cbc5c7c925ce8854afa350cb01cfe4


 #
 ## Start /etc/ssh/sshd_config changes
 #

 # PasswordAuthentication yes

 Subsystem sftp internal-sftp

 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes

 # SFTP Only
 Match Group sftponly
        ChrootDirectory /home/%u
        ForceCommand internal-sftp
        AllowTcpForwarding no

 #
 ## End /etc/ssh/sshd_config changes
 #

 # Test that the sshd_config will work

 sshd -t

 # Restart SSH if things look good

 service ssh restart

 # Create sftponly group

 sudo addgroup sftponly
	# Add the following to the bottom of /etc/ssh/sshd_config
	# This makes it so any user with the group sftponly only has access to
	# their chrooted home directory and forces internal-sftp. In this situation,
	# we're going to make the home directory the chroot. We'll also
	# comment out PasswordAuthentication so that we don't run into issues there.
	# This setup will prevent shell access as long as you use the script over here:
	# https://gist.github.com/hisnameisjimmy/a3cbc5c7c925ce8854afa350cb01cfe4


	#
	## Start /etc/ssh/sshd_config changes
	#

	# PasswordAuthentication yes

	Subsystem sftp internal-sftp

	# Set this to 'yes' to enable PAM authentication, account processing,
	# and session processing. If this is enabled, PAM authentication will
	# be allowed through the ChallengeResponseAuthentication and
	# PasswordAuthentication. Depending on your PAM configuration,
	# PAM authentication via ChallengeResponseAuthentication may bypass
	# the setting of "PermitRootLogin without-password".
	# If you just want the PAM account and session checks to run without
	# PAM authentication, then enable this but set PasswordAuthentication
	# and ChallengeResponseAuthentication to 'no'.
	UsePAM yes

	# SFTP Only
	Match Group sftponly
	ChrootDirectory /home/%u
	ForceCommand internal-sftp
	AllowTcpForwarding no

	#
	## End /etc/ssh/sshd_config changes
	#

	# Test that the sshd_config will work

	sshd -t

	# Restart SSH if things look good

	service ssh restart

	# Create sftponly group

	sudo addgroup sftponly