Create a new Unix group called sftp. All users that will be exclusively connecting to use SFTP should be added to this group.
addgroup sftpI'm going to store all SFTP related files in /var/sftp and chroot each user to their own directory.
root must be the owner and group for SSH to chroot correctly.
mkdir /var/sftp
chown root:root /var/sftpModify the sshd_config to match the sftp group and apply a set of parameters to said group.
Match Group sftp
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp/%u
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding noAdd a new SFTP user. There are a few requirements for the user creation process that must occur for this setup to function correctly:
sftp group/var/sftpFor example, the /var/sftp/user1 directory is still owned by root - this allows SSH to perform a chroot for the user's session that separates each user's files.
Then, /var/sftp/user1/user1 is the directory that is actually writable by the user logging in.
Add the new user:
adduser --ingroup sftp --home /var/sftp/user1/user1 user1Ensure the directory permissions are correct (this should already be correct from running adduser)
chown root:root /var/sftp/user1
chown user1:user1 /var/sftp/user1/user1