I have a home server that I ssh into when needed. If I need graphics I start vnc and tunnel it over ssh. So I'm good. Anyway, some relatives have asked very kindly if I can put some certain family pictures on the net for them to download.
I don't want to do regular ftp, so I've been trying ftps (with vsftpd) but it gives me firewall grudges.

So, I started to think about making a directory shared over ssh using only password login (no keys)- something they could reach via winscp for instance.

What I want to accomplish is a SSH config that doesn't change my current ability to login to MY account (I'm using only keys), but grants user "relative" access to one directory, NO shell access (chrooted?), and preferrably forces the connection to be sftp rather than scp. phuh.



All thoughts welcome.

well i think you will need to chroot for the directory side, and define a given users shell for nologin to prevent shell logins. http://www.debian-administration.org/articles/590

Thanks for the much informative link. This partwise solved it for me.
By adding "PasswordAuthentication yes" to the config I can no login as myself using keys only, and users in group sftponly can login to their chrooted home directory with their password. No extra needed (rssh, libs, etc..).

What remains is to firce the connection to be sftp rather than scp, and make sure they can access files with a client, but no shell.
I tried setting shell to /bin/false but then I got access denied. I guess ssh need shell access to do sftp.. so I'm stuck there. But its going forth..

In case someone is in the same pit, here's teh end of /etc/ssh/sshd_config (this is a Gentoo system):

# override default of no subsystems
Subsystem sftp internal-sftp

Match group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTCPForwarding no
X11Forwarding no
PubkeyAuthentication no
PasswordAuthentication yes

Hi friend,
On the SFTP Server page of the SSH Configuration utility you can configure the settings for secure file transfer protocol (SFTP). You can restrict regular users to have access only to specified directories, define their home directory and specify the events that are collected in the event log. With the Accessible directories feature you can define virtual directories for the users, and restrict them to have access only to those directories.

what utility would that be??

Indeed, do tell!

EDIT::The thing in your signature maybe ? Not good adverticing speaking about it that way .. now I know I can NEVER let myself try that program (should I for some reason feel the need)..

If no, please disregard the above.

I've used rssh in the past to do exactly what you are talking about. It allows sftp logins but no shell account. Use it in combination with a Chroot jail and it makes a pretty good sftp solution.

http://sourceforge.net/projects/rssh/

And here's an article that I found that takes you through the setup\
http://www.cyberciti.biz/tips/rhel-c...ssh-shell.html

That was the first I looked into, but I thought rssh was a restricted shell allowing only scp and sftp commands ?

That + chroot is of course right on, but I have to say the openssh chrootcommand is neat.

Thanks for telling anyway.