Setting up a sftp-only user

This allows us to give semi-public access to allow friends or whoever to upload some files.

SSH config

Add the following to your sshd_config:

Match Group public_users
	ChrootDirectory /var/public_upload
	AllowTCPForwarding no
	X11Forwarding no
	ForceCommand internal-sftp
	AuthorizedKeysFile /var/www/public_upload/%u/.ssh/authorized_keys

Make sure you're using internal-sftp for the sftp subsystem, not the old sftp-server. This forces the user to only be able to connect with the sftp subsystem.

Note that the entire chroot path needs to be owned and only modifiable by root. The AuthorizedKeysFile line is needed to use the .ssh dir inside the chroot. By default it looks in the user's homedir outside of the chroot, which may not exist.

User setup

Create the group for the users.

pw add group public_users

Now setup the user

pw add user -n friend -G public_users -d /friend -c 'sftp only user' -m -s /usr/sbin/nologin
passwd friend

Note the homedir, /friend is relative to the chroot