Chroot

Users with sftp access without ssh access (for file hosting)

1. Do one time setup

$ doas mkdir /var/www/OrangeShare/
$ doas groupadd sftponly

Edit your httpd config to set "/OrangeShare" as the root location.

Add this into sshd_config

Subsystem       sftp    internal-sftp
Match Group sftponly
  PasswordAuthentication yes
  ForceCommand internal-sftp
  ChrootDirectory /var/www/OrangeShare/%u
  AllowTcpForwarding no
  AllowAgentForwarding    no
  PermitTunnel    no
  PermitTTY       no
  X11Forwarding   no

Save script for adding new user

#!/bin/ksh
# add user
doas adduser
# add user to sftponly group, otherwise they will have full ssh access
doas usermod -g sftponly $1
# make user's directory
doas mkdir /var/www/OrangeShare/$1
doas mkdir /var/www/OrangeShare/$1/pub
doas chown $1:$1 /var/www/OrangeShare/$1/pub
# set the user's password
doas passwd $1

2. For each new user

 $ ksh newuser.sh usernameHere
 Then email to the user their credentials, from either your personal email or from your team email if it has one.

Sources:

http://undeadly.org/cgi?action=article&sid=20080220110039
https://man.openbsd.org/sftp-server
https://unix.stackexchange.com/questions/503312/is-it-possible-to-grant-users-sftp-access-without-shell-access-if-yes-how-is-i

To change sftp accessed directory from /home/USER to /var/www/htdocs/USER