SFTP setup

SFTP now can be setup straight in sshd. With openssh 4.9 or greater you can create a very stable chrooted sftp server.

1 Fix sshd_config
2 Turn off selinux
3 Add sftp group
4 Create a new user
5 Add new user to sftp group
6 Remove users shell
7 Change write permissions
8 Change user and group to root
9 Set Password for user
10 Make proper directories
11 Set proper permissions
12 Copy your key (optional)
13 Create admin account and clients

Fix sshd_config

Subsystem sftp internal-sftp
 
Match group sftp
         ChrootDirectory /home/%u
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp

Turn off selinux

echo 0 > /selinux/enforce

Add sftp group

groupadd sftp

Create a new user

useradd -m myuser

Add new user to sftp group

usermod -g sftp myuser

Remove users shell

usermod -s /bin/false myuser

Change write permissions

chmod 0755 /home/myuser

Change user and group to root

chown root:root /home/myuser

Set Password for user

passwd myuser

Make proper directories

mkdir /home/myuser/.shh
mkdir /home/myuser/upload
mkdir /home/myuser/download

Set proper permissions

chown myuser:myuser /home/myuser/upload
chown myuser:myuser /home/myuser/download

Copy your key (optional)

cp your_public_rsa_key /home/myuser/.ssh/authorized_keys

Create admin account and clients

Lets say your admin account is fs_ftp_admin and your client account is 'dcps_ftp. You will create one group for both called fsftp. First lets create the two entries for /etc/ssh/sshd_config

1) Create entry in sshd_conf

Match user fs_ftp_admin
        ChrootDirectory /home/fsftp
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
 
Match group fsftp
        ChrootDirectory /home/fsftp/%u
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

2) Create group

[root@fgpdcdmzftp01 ssh]# groupadd fsftp

3) create users and set passwords

[root@fgpdcdmzftp01 ssh]# useradd -m -s /bin/false -g fsftp fs_ftp_admin
[root@fgpdcdmzftp01 ssh]# useradd -c "Duval county public school FTP account" -m -s /bin/false -g fsftp -d /home/fs_ftp_admin/dcps_ftp dcps_ftp
[root@fgpdcdmzftp01 ssh]# passwd fs_ftp_admin
[root@fgpdcdmzftp01 ssh]# passwd dcps_ftp

4) clean up files and set permissions

[root@fgpdcdmzftp01 ssh]# chmod -R 0755 /home/fs_ftp_admin/
[root@fgpdcdmzftp01 ssh]# chown -R root:root fs_ftp_admin
[root@fgpdcdmzftp01 ssh]# chown -R dcps_ftp:fsftp /home/fs_ftp_admin/dcps_ftp

Now try to test. The admin user can see all files for the client but the client can only see their files. You can create more clients now using the above method.