Debian: Script for SFTP users

When using a server with multiple external users, one thing that regularly comes up is that users want to access a folder on the server, such as the root folder for a webserver. This way every user can manage their files and upload new content. This can be achieved securely with SFTP, which uses the SSH protocol for file transfers.

In this article, I provide a simple script to create new users with minimal preparation and all correct settings. The text is based on the following article on debian-administration.org: OpenSSH SFTP chroot() with ChrootDirectory.

Preparation

First of, make sure that OpenSSH is already installed and running. You might want to connect as root to perform the following steps. Alright, as a first step, create a new group on your server called “sftponly”:

# groupadd sftponly

All users that are part of this group will only be able to connect via SFTP and not via shell. Next up, edit /etc/ssh/sshd_config, add the following lines and restart the SSH daemon.

Match group sftponly
        ChrootDirectory /srv/sftp/%u
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
Match

So if a user is in the “sftponly” group and connects to the SSH server, apply the following restrictions:

  • chroot() the user to the folder /srv/sftp/<username>
  • Disable X11Forwarding and disallow TcpForwarding
  • Handle the connection with “internal-sftp”

Next, create the folder you specified above (the ChrootDirectory):

# mkdir /srv/sftp

Now you should be ready to use the script below.

Script to create new users

This script allows you to automatically take all necessary steps to create a new user that only has SFTP access (and no shell access).

#!/bin/bash
SFTPONLY_GROUP="sftponly"
SFTP_BASE_FOLDER="/srv/sftp"
UPLOAD_DIR="htdocs"
USERID="$1"
# Check parameters if [ "$1" = "" ] then echo "Usage: $0 <new username>" 1>&2 exit 1 fi
# Check if root if [ "$(id -u)" != "0" ]; then echo "This script must be run as root" 1>&2 exit 1 fi
# Make sure the group exists /bin/egrep -i "^${SFTPONLY_GROUP}" /etc/group if [ $? -eq 0 ]; then echo "Nice, group $SFTPONLY_GROUP already exists in /etc/group" else echo "Group $SFTPONLY_GROUP does not exist, creating..." groupadd $SFTPONLY_GROUP fi
# Make sure the user does not exist /bin/egrep -i "^${USERID}" /etc/passwd if [ $? -eq 0 ]; then echo "User $USERID exists in /etc/passwd, aborting..." exit 1 else echo "Good, $USERID is a new user."
if [ -d "$SFTP_BASE_FOLDER/$USERID" ]; then echo "Folder $SFTP_BASE_FOLDER/$USERID already exists, aborting..." exit 1 else echo "Adding user..." adduser $USERID
echo "Creating folder $SFTP_BASE_FOLDER/$USERID..." mkdir $SFTP_BASE_FOLDER/$USERID
echo "Setting home directory of the new user..." usermod -d / $USERID
echo "Assigning $USERID to $SFTPONLY_GROUP..." usermod -G $SFTPONLY_GROUP $USERID
echo "Setting necessary permissions for chroot folder..." chmod -R 755 $SFTP_BASE_FOLDER/$USERID
echo "Creating directory structure..." mkdir $SFTP_BASE_FOLDER/$USERID/$UPLOAD_DIR chown $USERID:$SFTPONLY_GROUP $SFTP_BASE_FOLDER/$USERID/$UPLOAD_DIR
echo "Done." fi fi

To use the script, make it executable (chmod +x mksftpuser.sh) and execute it like this to create a new user “newuser”:

# ./mksftpuser.sh newuser

After executing the script and providing all information, you can now connect to the server via SFTP.

Hello world

My name is Simon Krenger, I am a Technical Account Manager (TAM) at Red Hat. I advise our customers in using Kubernetes, Containers, Linux and Open Source.

Elsewhere

  1. GitHub
  2. LinkedIn
  3. GitLab