configuration file:
/etc/ssh/sshd_config-sftponly
# ZYV
PasswordAuthentication yes
PermitRootLogin no
PidFile /var/run/sshd-sftponly.pid
Port 2234
Protocol 2
UsePAM no
Subsystem sftp internal-sftp
ChrootDirectory /srv/sftp
AllowTcpForwarding no
X11Forwarding no
ForceCommand internal-sftp
Init script: /etc/init.d/sshd-sftponly
#!/bin/bash
#
# Init file for SFTP-only OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: SFTP-only OpenSSH server daemon
#
# processname: sshd-sftponly
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config-sftponly
# pidfile: /var/run/sshd-sftponly.pid
# source function library
. /etc/rc.d/init.d/functions
RETVAL=0
prog=”sshd-sftponly”
# Some functions to make the below more readable
SSHD=/usr/sbin/sshd-sftponly
PID_FILE=/var/run/sshd-sftponly.pid
# ZYV
LOCK_FILE=/var/lock/subsys/sshd-sftponly
OPTIONS=” -f /etc/ssh/sshd_config-sftponly ”
runlevel=$(set — $(runlevel); eval “echo \$$#” )
start()
{
cp -af /etc/localtime /var/empty/sshd/etc
echo -n $”Starting $prog: ”
$SSHD $OPTIONS && success || failure
RETVAL=$?
[ “$RETVAL” = 0 ] && touch $LOCK_FILE
echo
}
stop()
{
echo -n $”Stopping $prog: ”
if [ -n “`pidfileofproc $SSHD`” ] ; then
killproc $SSHD
else
failure $”Stopping $prog”
fi
RETVAL=$?
# if we are in halt or reboot runlevel kill all running sessions
# so the TCP connections are closed cleanly
if [ “x$runlevel” = x0 -o “x$runlevel” = x6 ] ; then
killall $prog 2>/dev/null
fi
[ “$RETVAL” = 0 ] && rm -f $LOCK_FILE
echo
}
reload()
{
echo -n $”Reloading $prog: ”
if [ -n “`pidfileofproc $SSHD`” ] ; then
killproc $SSHD -HUP
else
failure $”Reloading $prog”
fi
RETVAL=$?
echo
}
case “$1″ in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
condrestart)
if [ -f $LOCK_FILE ] ; then
stop
# avoid race
sleep 3
start
fi
;;
status)
status -p $PID_FILE openssh-daemon
RETVAL=$?
;;
*)
echo $”Usage: $0 {start|stop|restart|reload|condrestart|status}”
RETVAL=1
esac
exit $RETVAL
Some directory/lib setup…
mkdir -p /srv/sftp/{home,lib,sbin}
ln /lib/ld-2.5.so /srv/sftp/lib
ln /lib/ld-linux.so.2 /srv/sftp/lib
ln /lib/libc-2.5.so /srv/sftp/lib
ln /lib/libc.so.6 /srv/sftp/lib
ln /sbin/nologin /srv/sftp/sbin
ln -s /usr/sbin/sshd /usr/sbin/sshd-sftponly
chkconfig –add sshd-sftponly
chkconfig sshd-sftponly on
service sshd-sftponly start
groupadd sftponly
Adding a user
useradd sftpuser -s/sbin/nologin
usermod -a -G sftponly sftpuser
mkdir -p /srv/sftp/home/sftpuser
chown -R sftpuser:sftponly /srv/sftp/home/sftpuser
Example usage
sftp -P 2234 sftpuser@<IP or hostname>