Sftp /
Chroot
Users with sftp access without ssh access (for file hosting)
1. Do one time setup
$ doas mkdir /var/www/OrangeShare/ $ doas groupadd sftponly
Edit your httpd config to set "/OrangeShare" as the root location.
Add this into sshd_config
Subsystem sftp internal-sftp Match Group sftponly PasswordAuthentication yes ForceCommand internal-sftp ChrootDirectory /var/www/OrangeShare/%u AllowTcpForwarding no AllowAgentForwarding no PermitTunnel no PermitTTY no X11Forwarding no
Save script for adding new user
#!/bin/ksh # add user doas adduser # add user to sftponly group, otherwise they will have full ssh access doas usermod -g sftponly $1 # make user's directory doas mkdir /var/www/OrangeShare/$1 doas mkdir /var/www/OrangeShare/$1/pub doas chown $1:$1 /var/www/OrangeShare/$1/pub # set the user's password doas passwd $1
2. For each new user
$ ksh newuser.sh usernameHere Then email to the user their credentials, from either your personal email or from your team email if it has one.
Sources:
http://undeadly.org/cgi?action=article&sid=20080220110039 https://man.openbsd.org/sftp-server https://unix.stackexchange.com/questions/503312/is-it-possible-to-grant-users-sftp-access-without-shell-access-if-yes-how-is-i