SFTP Setup:
/etc/ssh/sshd_config:
Subsystem sftp internal-sftp
Match Group sftpusers
PasswordAuthentication yes
ChrootDirectory /srv/sftponly
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
Adding the sftp group:
groupadd sftpusers
Creating the only account for SFTP Access
useradd -d /srv/sftponly -g sftpusers -s /bin/false sftpuser
passwd sftpuser
Restart openssh:
/etc/init.d/ssh restart
Setting Permission for the directory
chown root:root /srv ; chown root:root /srv/sftponly ; chmod 755 /srv ; chmod 755 /srv/sftponly
Making a Public Directory:
mkdir /srv/sftponly/public
chown sftpuser:sftpusers /srv/sftponly/public/
chmod 333 /srv/sftponly/public/
ls -ltd
d-wx-wx-wx 2 sftpuser sftpusers 4096 Oct 15 14:51 /srv/sftponly/public/
This allows people to upload a file, doesnt allow you to be able to list anything which is perfect but I need to take it a step further and not allow downloading of anything. So for example, I upload a file called test_file.txt(sensitive data), using SFTP and if someone else knows this filename he can download it by specifyiing the same name. Is it possible to restrict SFTP to only allow uploading of a file, not being able to list anything and ultimately not allowing downloading of anyfile regardless if the name is known?
many thanks for the reply. Could you elaborate. Another option that was mentioned was to create a cron entry to either remove or move the files to another directory
Ok long story short, I managed to get thing straight with my SFTP server and login. I am still stuck on the umask stuff in preventing a users who uploads a file from allowing another user to download it if they know what the file name is. I have been asked to use only one account to allow users to upload information and prevent others from downloading it. So the goal is to allow an upload of files one time only and thats it. I played around in /etc/ssh/sshd_config:
ForceCommand internal-sftp -u 0000
is this what I need or am I envoking this wrong? or did I read umasking wrong, should it be 777(not allowing any permissions). I get confused with chmod stuff.
Match Group sftpusers
PasswordAuthentication yes
ChrootDirectory /srv/sftponly/public
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
Set permissions of directory(chroot path has to be owned by root and only have write access for root!) with whatever public folder having the correct permissions(in this case "testuser" is the public folder with chmod 300 (wx) as the permissions of the folder.
d-wx------ 2 testuser sftpuser 4096 Oct 17 21:11 /srv/sftponly/public/testuser/