From f83faafe95c7e69c4d1bc98a440c9c39a264bb3a Mon Sep 17 00:00:00 2001
From: Philippe Favre <lapatatedouce@noreply.favrep.ch>
Date: Thu, 24 Oct 2024 10:11:20 +0200
Subject: [PATCH] Ajouter miscellaneous/chrooted_SFTP-only.md

---
 miscellaneous/chrooted_SFTP-only.md | 88 +++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 miscellaneous/chrooted_SFTP-only.md

diff --git a/miscellaneous/chrooted_SFTP-only.md b/miscellaneous/chrooted_SFTP-only.md
new file mode 100644
index 0000000..b4a7261
--- /dev/null
+++ b/miscellaneous/chrooted_SFTP-only.md
@@ -0,0 +1,88 @@
+# Chrooted SFTP-Only Access Configuration
+
+This guide describes how to set up a chrooted environment with SFTP-only access for users, using SSH keys.
+
+## Prerequisites
+
+- A server running GNU/Linux
+- Root access to the server.
+- OpenSSH installed and running.
+
+## Steps
+
+### 1. Create a Chroot User
+
+```bash
+useradd <username>
+```
+
+### 2. Create SFTP Group
+
+```bash
+groupadd sftpusers
+```
+
+### 3. Add the User to SFTP Group
+
+```bash
+usermod -aG sftpusers <username>
+```
+
+### 4. Setup Chroot Directory
+
+Create a directory for SFTP users, ensuring proper ownership and permissions.
+
+```bash
+mkdir -p /sftp/<username>
+chown root:root /sftp
+chmod 755 /sftp
+mkdir /sftp/<username>
+chown <username>:<username> /sftp/<username>
+chmod 700 /sftp/<username>
+```
+
+### 5. Configure SSH for SFTP Access
+
+Modify `/etc/ssh/sshd_config` to use internal SFTP and set restrictions.
+
+1. Update the `Subsystem` line:
+
+    ```bash
+    Subsystem sftp internal-sftp
+    ```
+
+2. Add a `Match` block at the end:
+
+    ```bash
+    Match Group sftpusers
+        ChrootDirectory /sftp/%u
+        ForceCommand internal-sftp
+        AllowTcpForwarding no
+        X11Forwarding no
+    ```
+
+### 6. Setup User's SSH Keys
+
+Create and configure SSH directories for the user:
+
+```bash
+mkdir /home/<username>/.ssh
+touch /home/<username>/.ssh/authorized_keys
+chmod 700 /home/<username>/.ssh
+chmod 600 /home/<username>/.ssh/authorized_keys
+chown <username>:<username> /home/<username>/.ssh
+chown <username>:<username> /home/<username>/.ssh/authorized_keys
+```
+
+Copy the public SSH key to `/home/<username>/.ssh/authorized_keys`.
+
+### 7. Restart SSH Service
+
+```bash
+systemctl restart sshd
+```
+
+## Verification
+
+- Attempt an SFTP connection to verify restricted access.
+- Ensure users cannot access the shell.
\ No newline at end of file