scripts-admin-debian/miscellaneous/chrooted_SFTP-only.md

# Chrooted SFTP-Only Access Configuration

This guide describes how to set up a chrooted environment with SFTP-only access for users, using SSH keys.

## Prerequisites

- A server running GNU/Linux
- Root access to the server.
- OpenSSH installed and running.

## Steps

### 1. Create a Chroot User

```bash
useradd <username>
```

### 2. Create SFTP Group

```bash
groupadd sftpusers
```

### 3. Add the User to SFTP Group

```bash
usermod -aG sftpusers <username>
```

### 4. Setup Chroot Directory

Create a directory for SFTP users, ensuring proper ownership and permissions.

```bash
mkdir -p /sftp/<username>
chown root:root /sftp
chmod 755 /sftp
mkdir /sftp/<username>
chown <username>:<username> /sftp/<username>
chmod 700 /sftp/<username>
```

### 5. Configure SSH for SFTP Access

Modify `/etc/ssh/sshd_config` to use internal SFTP and set restrictions.

1. Update the `Subsystem` line:

    ```bash
    Subsystem sftp internal-sftp
    ```

2. Add a `Match` block at the end:

    ```bash
    Match Group sftpusers
        ChrootDirectory /sftp/%u
        ForceCommand internal-sftp
        AllowTcpForwarding no
        X11Forwarding no
    ```

### 6. Setup User's SSH Keys

Create and configure SSH directories for the user:

```bash
mkdir /home/<username>/.ssh
touch /home/<username>/.ssh/authorized_keys
chmod 700 /home/<username>/.ssh
chmod 600 /home/<username>/.ssh/authorized_keys
chown <username>:<username> /home/<username>/.ssh
chown <username>:<username> /home/<username>/.ssh/authorized_keys
```

Copy the public SSH key to `/home/<username>/.ssh/authorized_keys`.

### 7. Restart SSH Service

```bash
systemctl restart sshd
```

## Verification

- Attempt an SFTP connection to verify restricted access.
- Ensure users cannot access the shell.