Simon Krenger

When using a server with multiple external users, one thing that regularly comes up is that users want to access a folder on the server, such as the root folder for a webserver. This way every user can manage their files and upload new content. This can be achieved securely with SFTP, which uses the SSH protocol for file transfers.

In this article, I provide a simple script to create new users with minimal preparation and all correct settings. The text is based on the following article on debian-administration.org: OpenSSH SFTP chroot() with ChrootDirectory.

Preparation

First of, make sure that OpenSSH is already installed and running. You might want to connect as root to perform the following steps. Alright, as a first step, create a new group on your server called “sftponly”:

# groupadd sftponly

All users that are part of this group will only be able to connect via SFTP and not via shell. Next up, edit /etc/ssh/sshd_config, add the following lines and restart the SSH daemon.

Match group sftponly
        ChrootDirectory /srv/sftp/%u
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
Match

So if a user is in the “sftponly” group and connects to the SSH server, apply the following restrictions:

• chroot() the user to the folder /srv/sftp/<username>
• Disable X11Forwarding and disallow TcpForwarding
• Handle the connection with “internal-sftp”

Next, create the folder you specified above (the ChrootDirectory):

# mkdir /srv/sftp

Now you should be ready to use the script below.

Script to create new users

This script allows you to automatically take all necessary steps to create a new user that only has SFTP access (and no shell access).

#!/bin/bash
SFTPONLY_GROUP="sftponly"
SFTP_BASE_FOLDER="/srv/sftp"
UPLOAD_DIR="htdocs"

USERID="$1"

# Check parameters
if [ "$1" = "" ]
then
  echo "Usage: $0 <new username>" 1>&2
  exit 1
fi

# Check if root
if [ "$(id -u)" != "0" ]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

# Make sure the group exists
/bin/egrep  -i "^${SFTPONLY_GROUP}" /etc/group
if [ $? -eq 0 ]; then
        echo "Nice, group $SFTPONLY_GROUP already exists in /etc/group"
else
        echo "Group $SFTPONLY_GROUP does not exist, creating..."
        groupadd $SFTPONLY_GROUP
fi

# Make sure the user does not exist
/bin/egrep  -i "^${USERID}" /etc/passwd
if [ $? -eq 0 ]; then
        echo "User $USERID exists in /etc/passwd, aborting..."
        exit 1
else
        echo "Good, $USERID is a new user."

        if [ -d "$SFTP_BASE_FOLDER/$USERID" ]; then
                echo "Folder $SFTP_BASE_FOLDER/$USERID already exists, aborting..."
                exit 1
        else
                echo "Adding user..."   
                adduser $USERID

                echo "Creating folder $SFTP_BASE_FOLDER/$USERID..."
                mkdir $SFTP_BASE_FOLDER/$USERID

                echo "Setting home directory of the new user..."
                usermod -d / $USERID

                echo "Assigning $USERID to $SFTPONLY_GROUP..."
                usermod -G $SFTPONLY_GROUP $USERID

                echo "Setting necessary permissions for chroot folder..."
                chmod -R 755 $SFTP_BASE_FOLDER/$USERID

                echo "Creating directory structure..."
                mkdir $SFTP_BASE_FOLDER/$USERID/$UPLOAD_DIR
                chown $USERID:$SFTPONLY_GROUP $SFTP_BASE_FOLDER/$USERID/$UPLOAD_DIR

                echo "Done."
        fi
fi

To use the script, make it executable (chmod +x mksftpuser.sh) and execute it like this to create a new user “newuser”:

# ./mksftpuser.sh newuser

After executing the script and providing all information, you can now connect to the server via SFTP.