Ajouter miscellaneous/chrooted_SFTP-only.md

miscellaneous/chrooted_SFTP-only.md

@@ -0,0 +1,88 @@
+# Chrooted SFTP-Only Access Configuration
+
+This guide describes how to set up a chrooted environment with SFTP-only access for users, using SSH keys.
+
+## Prerequisites
+
+- A server running GNU/Linux
+- Root access to the server.
+- OpenSSH installed and running.
+
+## Steps
+
+### 1. Create a Chroot User
+
+```bash
+useradd <username>
+```
+
+### 2. Create SFTP Group
+
+```bash
+groupadd sftpusers
+```
+
+### 3. Add the User to SFTP Group
+
+```bash
+usermod -aG sftpusers <username>
+```
+
+### 4. Setup Chroot Directory
+
+Create a directory for SFTP users, ensuring proper ownership and permissions.
+
+```bash
+mkdir -p /sftp/<username>
+chown root:root /sftp
+chmod 755 /sftp
+mkdir /sftp/<username>
+chown <username>:<username> /sftp/<username>
+chmod 700 /sftp/<username>
+```
+
+### 5. Configure SSH for SFTP Access
+
+Modify `/etc/ssh/sshd_config` to use internal SFTP and set restrictions.
+
+1. Update the `Subsystem` line:
+
+    ```bash
+    Subsystem sftp internal-sftp
+    ```
+
+2. Add a `Match` block at the end:
+
+    ```bash
+    Match Group sftpusers
+        ChrootDirectory /sftp/%u
+        ForceCommand internal-sftp
+        AllowTcpForwarding no
+        X11Forwarding no
+    ```
+
+### 6. Setup User's SSH Keys
+
+Create and configure SSH directories for the user:
+
+```bash
+mkdir /home/<username>/.ssh
+touch /home/<username>/.ssh/authorized_keys
+chmod 700 /home/<username>/.ssh
+chmod 600 /home/<username>/.ssh/authorized_keys
+chown <username>:<username> /home/<username>/.ssh
+chown <username>:<username> /home/<username>/.ssh/authorized_keys
+```
+
+Copy the public SSH key to `/home/<username>/.ssh/authorized_keys`.
+
+### 7. Restart SSH Service
+
+```bash
+systemctl restart sshd
+```
+
+## Verification
+
+- Attempt an SFTP connection to verify restricted access.
+- Ensure users cannot access the shell.