Install and configure openssh sftp server (not clients).
2022-07-28 Ubuntu 20.04, Raspbian bullseye
openssh has an inbuilt sftp server. openssh is presumed already installed, including for inward ssh access through firewall.
Domain users are mapped to UNIX accounts as follows:
- Domain user
- UNIX user
- user (clearly might need disambiguation)
- UNIX group
- Domain directory
- Domain user directory
- UNIX home directory
/srv/ftp/domain– same as Domain directory for all domain users in that domain.
Each domain user individually owns their files and can change permissions, but by default all users in a domain have read/write on each others' files. There is no view of other domains.
Base configurationgraham:~ apt list openssh-server --installed openssh-server/jammy,now 1:8.9p1-3 amd64 [installed,automatic]
- Verify openssh server is installed.
- Verify sshd restarted cleanly.
Add domain geddy.au.graham:~ sudo mkdir -p /srv/ftp/geddy.au # container for this domain's shares graham:~ sudo chown root:root /srv/ftp/geddy.au graham:~ sudo chmod 755 /srv/ftp/geddy.au
Domain directory must be owned and writeable
Add domain user to domain
Add domain user fred.nerk to domain geddy.au.
Note: don't put '@' in the username as that causes problems trying to compose remote execution commands.graham:~ sudo adduser --ingroup sftp-only --shell /usr/sbin/nologin \ --no-create-home --home /srv/ftp/geddy.au --gecos 'firstname.lastname@example.org' \ --force-badname fred.nerk # add domain user Password: fred.nerk's password graham:~ sudo usermod -e expiredate 1 fred.nerk
- Domain user is mapped directly to a UNIX system user. This might require disambiguation across domains e.g. by introducing a username prefix for a domain, or the google approach of a unique integer suffix.
- Ensure UNIX login account for domain user is disabled.
- Use the domain directory as the home directory for the UNIX account of all domain users in that domain. sftp access is chroot'ed jail for all those domain users i.e. all domain user can access all other users in domain but no visibility whatsoever in other domains.
- Domain user home should be writeable by all users in domain.