OpenBSD | SFTP with Logging and public key authentication

Some hints /example:
* Add a group sftpgroup: sftpgroup:*:1001:
* Add a user sftpuser1.
* Add a home directory for this user, it’s the sftp data directory. Here we use /data/sftp/sftpuser1
* Chown this directory to drwxr-x— 4 root sftpgroup 512 Jan 5 12:53 sftpuser1
* Tune this user, always (!) use vipw, otherwise your changes in /etc/passwd will be overwritten: sftpuser1:*:1001:1001::/data/sftp/sftpuser1:/sbin/nologin
* Add a directory /data/sftp/sftpuser1/uploads_downloads
* Chown this directory to drwxr-xr-x 2 sftpuser1 sftpgroup 5120 Jan 10 06:16 uploads_downloads (Why? —> Caused by systems security restirctions (chroot) the user sftpuser1 can’t write directly to /data/sftp/sftpuser)
* Copy your standard sshd_config file to sftpd_config.
* Modify this file:

Port 65522
AuthorizedKeysFile /etc/ssh/sftp_authorized_keys/%u
Match Group sftpgroup
ChrootDirectory /data/sftp/%u
ForceCommand internal-sftp -u 0077 -d /uploads_downloads -l INFO -f LOCAL0 # TUNE SYSLOGD.CONF
AllowTCPForwarding no

* Touch /var/log/sftp.log
* Modify /etc/syslogd.conf. Add /var/log/sftp.log
* pkill -HUP syslogd
* Create directory /etc/ssh/sftp_authorized_keys
* Put sftpuser1’s public key into a file /etc/ssh/sftp_authorized_keys/sftpuser1

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.