This is actually a simple process.
Here is my default (before editing specifics) sshd_config file for SFTP servers:
Code:
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
### Networking and Protocol Version ###
## Ports and Protocols
Protocol 2
Port 22
## Not necessary to change the below
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
## Disable TCPKeepAlive (Easily Exploited)
TCPKeepAlive no
## Use ClientAliveInterval and restrict to prevent spoofing. Every 60 seconds,
## Server will contact client expecting a response if one client has been inactive.
## If no response is received after the 3rd attempt, server will terminate connection
ClientAliveInterval 60
ClientAliveCountMax 3
### Networking and Protocol Version ###
### Key Configuration ###
## Host Keys; These keys are used to identify the server to the connecting
## clients. Do not change.
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
## Ciphers and keying
#RekeyLimit default none
### Key Configuration ###
### Logging ###
SyslogFacility AUTHPRIV
LogLevel INFO
### Logging ###
### Authentication ###
## You have 2 minutes to enter a correct key or password
LoginGraceTime 2m
## PermitRootLogin yes should only be used when ALL SSH connections
## are restricted using AllowUsers
PermitRootLogin no
## Require keys to be writeable only by the owner (user) of that key
StrictModes yes
## Maximum tries a user can to login per connection. Failures are logged after half
## the authentication attempts are reached per connection
MaxAuthTries 6
MaxSessions 25
## Users are allowed to use Keys for access so long as the user has uploaded their
## key to the path below.
## <users home directory>/.ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
## This can be easily exploited. Leave disabled.
HostbasedAuthentication no
## Deny all empty passwords.
PermitEmptyPasswords no
## Acceptable Authentication Types
PasswordAuthentication yes
RSAAuthentication yes
PubkeyAuthentication yes
## Unnecessary if you are going to allow the use of keys
ChallengeResponseAuthentication no
## Kerberos options; unless the system is tied to Kerberos, do not use
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
## GSSAPI options; do not change unless this has been implemented
## network wide
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
## Use PAM for Password Authentication. If you are strictly using keys, set this
## to no.
UsePAM yes
## We are using privilege separation, do not use login service
UseLogin no
## Maximum number of unauthenticated connections allowed.
## I.e. this is the number of those still trying to connect
MaxStartups 25
### Authentication ###
### Miscellaneous ###
## Use "sandbox" or "yes"
UsePrivilegeSeparation sandbox
## Show last login information of user
PrintLastLog yes
## Allow graphical user interface
X11Forwarding yes
## Display a message of the day and it's location (banner).
## Uncomment if one has been placed on the system.
#PrintMotd yes
#Banner /etc/motd
## Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
## Use the internal-sftp subsytem built in to SSH; this allows better management of restricted
## accounts.
## BE AWARE THAT SCP WILL NO LONGER WORK ON THE SERVER WITH THIS SUBSYSTEM!
Subsystem sftp internal-sftp
### CHROOT Accounts ###
## This only works with openSSH v4.8+ (Recommended 5.0+)
## Root must own /home/nfs; chown root.root /home/nfs
## Dont forget the permissions: chmod 755 /home/nfs
## All chroot users must be placed in the sftponly group
Match group sftponly
ChrootDirectory /home/nfs/
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp
Now I for the most part setup my SFTP servers with CentOS, so when I install my LDAP (usually a Turnkey Linux openLDAP solution), I will perform the following on the LDAP client:
yum -y install openldap openldap-clients nss-pam-ldapd authconfig-tui
authconfig-tui
Select use LDAP, Use MD5, Use Shadow, Use LDAP Authentication, and Local is sufficient. On the next screen, enter your LDAP server and base dn informaiton.
I also add my LDAP server to my hosts file.
In the LDAP, I create a posixAccount, with /sbin/nologin (no shell essentially), and set their home directory to /home/nfs/<username>. All my chroot sftp users belong to the same group: sftponly
Next, I need to make sure that the system will create home directories if it doesn't already exist:
authconfig --enablemkhomedir --update
I also setup Fail2Ban on my sftp server as well, but dealers choice.
I don't use that chroot script stuff, I've ran in to too many problems with that process. It was great back in the day I'm sure, but this accomplishes what I need, and I create a template in openLDAP and run with it for all my user creation in these events.