How to create SFTP jail

Sometimes you need to transfer big files around. Email (when encrypted) is usually available everywhere, but it is not that good with multiple or big files. The generic way is to give SSH access to your server. SSH is encrypted and also supports SFTP protocol. But giving SSH access to total strangers to your network is always frightening situation. Somebody is touching your servers!

No fear! You can isolate the user pretty well. Put this to your /etc/ssh/sshd_config file:

Match Group sftponly
  PasswordAuthentication yes
  ChrootDirectory %h
  AllowTCPForwarding no
  X11Forwarding no
  ForceCommand internal-sftp

The line “PasswordAuthentication yes” is needed if you by default only allow public key authentication and you want to ease up the connection for the stranger.

And then you create new users with command:

useradd -d /home-sftponly/stranger -g sftponly -s /bin/false stranger
Now stranger can access your server only with SFTP and only to that one directory.

Pretty sweet!

And I put this little gem running on a separate virtual machine which is totally isolated from the surrounding internal network. It has network access only to the internet. KVM rocks!