SFTP Server

Overview
This article describes solutions for providing an SFTP service on Gentoo.

OpenSSH SFTP Server
This is a feature now in-built to OpenSSH provide a quick and easy chrooted SFTP environment. This description is primarily taken from this blog post on the new OpenSSH SFTP feature and a little help from The Minstrel.

It assumes the following:
 * You don't want to use SCP (there are known issues)
 * User authentication and access control done by PAM
 * Process execution may not be allowed (sorry, I'm not that in-depth on chroot jails), but the beauty of this solution is that you aren't lumbered with setting up a full chroot jail executive environment

You will need to ensure you have OpenSSH >4.9. This should be part of the base Gentoo install (current at time of writing is v5.1 so an up-to-date system should be fine).

Edit your sshd_config and add the following lines for a given user (you can do for groups as well with Match Group groupname): /etc/ssh/sshd_config

Changing sftpuser for the username, and setting the ChrootDirectory path to the jail path. The jail path must be owned by root. There's also some automatic search for home/sftpuser/ under the chroot directory to set the connecting user's home directory, so you may not need to use %h.

In some cases you may need to replace the System definition line with: /etc/ssh/sshd_config

To set up the user account if you want it to not be allowed an SSH login, you must set the shell to /sbin/nologin or /bin/false (remembering that the shell must be mentioned in /etc/shells, which these aren't in a default Gentoo setup).

SFTP logging
If you need logging from the SFTP server you need to tell the server to be verbose on the ForceCommand: /etc/ssh/sshd_config and you need to have a /dev/log in the chroot. E.g. for syslog-ng this is done like this: /etc/syslog-ng/syslog-ng.conf

Full SSH or SFTP Jail Based On User
Using the above information and another walkthrough, the following procedure will enable you to allow full ssh/scp access to a set of users, while restricting another set to an sftp jail. First, the sshd_config file must be modified to restrict logins to only two groups, fullssh and sftponly. Users who are members of the fullssh group get full access to the system using ssh, scp, sftp and related functions. Users who belong to sftponly will be restricted to the sftpjail. /etc/ssh/sshd_config to allow users in the fullssh group to have full ssh shell access privileges, but those in the sftponly group to be forced in the SFTP jail. All path components in the jail directory must be owned by root, i.e.

The new groups must be added, and you should add the desired users to the fullssh group:

as well as the initial test user:

but note the -m option isn't supplied to useradd because sshd uses the home directory as a relative directory to the chrooted directory.

The home directory inside the chroot jail must be created by hand:

Upon successful authentication, SFTP will resolve the /sftptest directory relative to the chrooted directory and place the user into /data/sftpjail/sftptest, where the user will be able to upload files without needing to change to another directory.

Due to the requirement of internal-sftp that all path components specified in the ChrootDirectory directive must be root-owned, had you specified ChrootDirectory /data/sftpjail/%u in the sshd_config, /data/sftpjail/sftptest would have had to be owned by root. Since that's the directory in which SFTP places the user upon successful authentication, the user won't have permissions to upload anything and would have to change to a subdirectory.

Changes to sshd_config won't be picked up until after you restart sshd: