I want to control user access on server to just a specific directory via SFTP and nothing else, not even ssh. Here is my take after searching info on the net:
First, edit ssh config file.
sudo nano /etc/ssh/sshd_config
Change Subsystem property (or add one if not already there)
Subsystem sftp internal-sftp
Add the following lines to the bottom of config file.
Match group sftponly ChrootDirectory %h # Force the connection to use SFTP and chroot to the required directory. ForceCommand internal-sftp # Disable network tunneling PermitTunnel no # Disable authentication agent forwarding. AllowAgentForwarding no # Disable TCP connection forwarding. AllowTcpForwarding no # Disable X11 remote desktop forwarding. X11Forwarding no
From config it says, we only allow a user group name ‘sftponly’ to use ssh solely for sftp and not any other purpose including some forwarding functions.
This means we will have to create this system group (it can be named something else). Exit and save the config file by pressing Ctrl + X and Enter then issue this command in shell:
sudo addgroup sftponly
Then add user that you want to limit ssh access to this group. In this example, we assume that this is new user and we will create them first.
sudo adduser testuser
Then add to the group.
sudo usermod testuser -g sftponly
Next, change home directory of this user to where you want to confine access to.
sudo usermod testuser -d /path/to/newhome
Now, restart the ssh service for the change to take effect.
sudo service ssh restart
Finally, change path to the new user’s home and change the ownership and permission to allow access.
cd /path/to/newhome sudo chown testuser:sftponly -R * sudo chmod 755 -R *