Please disregard my last... gmail sent the email before I was finished composing it.
On Tue, Sep 27, 2011 at 10:43 AM, David Walker <[email protected]>wrote: > Hi. > > I have some accounts that don't require home directories or shells. > In the past I used ftpd for web uploading and would do the > shell==false thing and chroot them and set the login directory via the > passwd file. > Bye bye ftpd, hello sshd. > Using false for your shell is okay for ftp. It is not for ssh/sftp. > > So I'm looking at this again, using the sshd's internal sftp and > chroot directives on a per user basis. For now I'm looking at using > password authentication. > Here's the nervous administrator talking but is this correct ... > > If these users connect via ssh, sshd will authenticate them via their > password entry and once that's achieved, the "home" directory will be > according to sshd_config and the "shell" will be whatever interface > sftp provides. > In other words, for that purpose the home and shell directives in > master.passwd will never come into play. > The user has to have a valid shell (ksh works) even if the match directive is used to process the user to sftp only. The user should have a valid shell, and the sshd_config should use the match directive as follows: Match User sftpuser X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp ChrootDirectory /home/sftpuser Where the user is named sftpuser and the home directory for the user is /home/sftpuser. > > Hope this helped. Stefan Johnson
