Chrooted SFTP Server Setup

sftp-chroot-server-setup.sh

# Add the following to the bottom of /etc/ssh/sshd_config
# This makes it so any user with the group sftponly only has access to 
# their chrooted home directory and forces internal-sftp. In this situation, 
# we're going to make the home directory the chroot. We'll also 
# comment out PasswordAuthentication so that we don't run into issues there.
# This setup will prevent shell access as long as you use the script over here:
# https://gist.github.com/hisnameisjimmy/a3cbc5c7c925ce8854afa350cb01cfe4


#
## Start /etc/ssh/sshd_config changes
#

# PasswordAuthentication yes

Subsystem sftp internal-sftp

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

# SFTP Only
Match Group sftponly
        ChrootDirectory /home/%u
        ForceCommand internal-sftp
        AllowTcpForwarding no

#
## End /etc/ssh/sshd_config changes
#

# Test that the sshd_config will work

sshd -t

# Restart SSH if things look good

service ssh restart

# Create sftponly group

sudo addgroup sftponly