I configured second sshd systemd service using own sshd configuration with different tcp port configured in it and following configuration of sftp subsystem:
Match Group sftponly
ChrootDirectory /srv/%u
AllowTcpForwarding no
ForceCommand internal-sftp
PubkeyAuthentication yes
PasswordAuthentication no
PermitTunnel no
AllowAgentForwarding no
X11Forwarding no
The user I created in sftponly group is:
uid=1001(sftpuser) gid=1001(sftponly) groups=1001(sftponly)
The directory tree for chroot is:
drwxr-xr-x 3 root root 22 Aug 27 15:43 /srv
drwxr-xr-x 4 root root 34 Aug 27 18:27 /srv/sftpuser
drwx------ 2 sftpuser sftponly 29 Aug 27 15:43 /srv/sftpuser/.ssh
-rw-r--r-- 1 sftpuser sftponly 398 Aug 27 15:43 /srv/sftpuser/.ssh/authorized_keys
I can successfully do sftp with the private key however I can't create any file in user's /srv/%u chroot directory:
sftp> ls -al
drwxr-xr-x 3 root root 18 Aug 27 16:38 .
drwxr-xr-x 3 root root 18 Aug 27 16:38 ..
drwx------ 2 sftpuser sftponly 29 Aug 27 13:43 .ssh
sftp> mkdir one
Couldn't create directory: Permission denied
sftp>
When I do chown sftpuser /srv/sftpuser and go back to active sftp session I can create files but when I logout I can't login sftp anymore, until I change back /srv/%u directory to be owned by root
Connection to 192.168.1.110 closed by remote host.
Connection closed
I can of course create additional directory inside /srv/%u (/srv/sftpuser) owned by sftpuser but is this the only solution with chroot? Why user can't change/upload files directly to /srv/%u?
Additional question - how to prevent other users on the system from using this custom sshd configured for sftp only? When I set above Subsystem line in the custom sshd_config_sftponly two options: PubkeyAuthentication and PasswordAuthentication to no and do restart sshd daemon, regular system users can still login with their password using that custom sshd port.