We are running a public server where we would like to provide a more secure option than mere ftp.

Since customers can upload their own pages to the server, they have to be able to upload files, ftp is the obvious choice, but we do not want defaced websites due to password sniffing or other bugs in ftp servers etc...

So, sftp comes to mind, however, a user must have a valid shell in order to be able to use sftp, allowing him to ssh into the box (very undesirable). So, does anyone know how I can solve this? I basically need a valid shell without having a valid shell.

I have no idea how sshd actually checks this, if it is performed by actually executing something like:
${USR_SHELL} -c /usr/lib/ssh/sftpd
Then it is a simple matter writing a program that'll check that those are the arguments and then execve to that, otherwise quit.

Any help welcome.

Haven't got the URI's at hand right now, but checking Feshmeat/Googling around for "scponly" or "rssh" should give you an idea what you need to do.

scp only homepage
http://www.sublimation.org/scponly/

Set /usr/libexec/openssh/sftp-server to be the default shell in /etc/passwd

Eg. sftpuser:x:4837:4841:SFTP User:/home/sftpuser:/usr/libexec/openssh/sftp-server

Just out of curiosity. Can we just change the shell of the user to some inexistent shell so the user can't log in at all?

Yes. You can set the shell to /bin/false.

As for the orriginal question, I proceeded to write sftpsh available at http://www.kroon.co.za/sftpsh.php that solved it for me. The jailprep script can probably do with some improvement but it does the job for me.

The problem with scponly was that it still allowed a little bit too much access and iirc it was extremely difficult to make it chroot.

Have a look at http://olivier.sessink.nl/jailkit

A quick look doesn't answer the obvious question: How do they actually prevent execution of other commands? Take the sftp example/howto they give, they essentially copy the required commands into the jail area _before_ the client even connects to ssh. Fair enough, fire up sftp, upload my own static executable (say my own version of bash), reconnect. Granted, not a complete installation available, but certainly some CPU available. Some memory too.

I may be wrong and they do actually do something to prevent the above "hack".

Oh, it's also possible to replace /home/jail/etc/jailkit/jk_lsh.ini. Unless of course you as the system administrator knows how to use chattr +i .

Very, very good set of tools otherwise though. As far as I can gather. Deffinately more complete than what I did.

scponly is a quick method to prevent shell access and setting up a chroot environment.