WARNING:
Do not make these changes without first uploading a key and logging in with the key to make sure it works correctly. For more information on creating keys and uploading them to your server, check out this info.
HestiaCP offers SFTP chroot jails preconfigured upon installation. This is a great way to give users access to upload files securely via SFTP. It prevents them from browsing outside their home directories. Most importantly, they can use SFTP without having shell access.
You can test this out by connecting to the server with one of your user accounts via SFTP. However, if you have configured SSH to only allow key authentication, you get an error message that looks similar to this.
Disconnected: No supported authentication methods available (server sent: publickey)
Locking down SSH to require key authentication is easily obtained with the following config update:
PubkeyAuthentication yes
PasswordAuthentication no
Unfortunately, this configuration prevents SFTP connections via password with the default HestiaCP installation. How can we solve this? Let’s modify our SSH config to allow passwords for all of our SFTP chroot jail users. We just need to add 1 line to the HestiaCP managed Match
condition typically located at the bottom of the /etc/ssh/sshd_config
file.
Match User sftp_dummy99,admin,user1,user2
ChrootDirectory %h
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp
PasswordAuthentication yes
We’ve added the last line PasswordAuthentication yes
to this match condition. This match condition includes all users that have nologin
set. Later, if a user requests shell access, simply give it to them via HestiaCP. Behind the scenes, their username will be removed from this condition. Now they will be able to login via shell but will have to provide a key.
TL;DR
It would be great if there was a way sshd_config config could distinguish FTP traffic from shell-only traffic. We could isolate our configuration a bit better. In the example outlined above, once you give a user shell access, they will have to use a key to authenticate with SFTP as well.