So you want to configure an sftp only user?
groupadd sftponly
For security reasons, one ought to use chroot jailing, which confines a user to the specified directory and its tree, but nothing else.
NOTE: For the chroot jail to work properly, users' home directories (and all directories in the path) must be owned by root, and must not be writable by groups (g-w).
Replace username below with your chosen username.
Replace public below with any directory you want to use (e.g. dropbox,
incoming).
# make a directory for all sftp users
sudo mkdir /sftp
# make the user's home directory
# note that the user will not be able to write to /sftp/username
sudo mkdir /sftp/username
# make the user's public directory
# this will be writable.
sudo mkdir /sftp/username/public
# set the ownership of the user's public directory
sudo chown username:sftponly /sftp/username/public
Edit /etc/ssh/sshd_config with your favorite editor.
Add the following to the end of the file:
Match Group sftponly
ChrootDirectory /sftp/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
And restart the ssh server. If you're using upstart:
sudo restart ssh
Replace username below with your chosen username.
Replace public below if you did above.
# add the user
# -g sftponly: sets the group
# -d /username: sets the user's home directory
# -s /usr/sbin/nologin: no shell. (confirm path with `which nologin`)
sudo useradd -g sftponly -d /public -s /usr/sbin/nologin username
# change the user's password (use a long random hash)
sudo passwd username
ssh connections should not work:
% ssh username@localhost
username@localhost's password:
This service allows sftp connections only.
Connection to localhost closed.
%
sftp connections should work:
% sftp username@localhost
username@localhost's password:
Connected to localhost.
sftp>