Hello everyone !
Nothing particularly new here, it's a rather common tutorial.
The goal here is to create a dedicated SFTP server using OpenSSH, while chrooting users into their home directories. These users can only connect to their storage directory, not to a bash session.
Lastly, it will be easy to disable an account by placing it in a specific group that we're going to create.
1) Create the group for users authorized to connect via SFTP:
groupadd sftpex
2) Create the group that will allow disabling a user's account:
groupadd nosftp
You understand the purpose: if you want to disable a user from connecting to their SFTP account, you'll just have to add this user to the nosftp group
And because the instruction will be placed before sftpex in /etc/ssh/sshd_config, it will work.
To disable an account:
usermod -G nosftp myuser
To enable the user again, just remove the user from the nosftp group.
(edit /etc/group and delete myuser from the nosftp line)
3) Create the root for the SFTP server:
mkdir /SFTP
4) Create an SFTP user:
useradd -G sftpex -s /bin/false -m -d /SFTP/myuser myuser
passwd myuser
5) Configure permissions:
chown root:sftpex /SFTP/myuser
6) Create a folder for myuser:
mkdir /SFTP/myuser/DATA
chown myuser:sftpex /SFTP/myuser/DATA
chmod 700 /SFTP/myuser/DATA
7) Configure /etc/ssh/sshd_config
Install nano if you don't use vi
pkg install nano
Replace /usr/libexec/amd64/sftp-server with internal-sftp and add the chroot configuration
Open /etc/ssh/sshd_config, find the Subsystem section and match it with what is written here:
# no default banner path
Banner none
# override default of no subsystems
Subsystem sftp internal-sftp
Match Group nosftp
ForceCommand /usr/bin/false
Match Group sftpex
ChrootDirectory /SFTP/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
8) Restart SSH
Restart sshd
svcadm restart svc:/network/ssh:default