I want to build a server (running Debian or FreeBSD) that receives backups from different clients via sshfs. Each client should be able to read and write its own backup data, but not the data of any of the other clients.
I had the following idea: each client connects via public key auth to backup@backupserver.local. The user backup has a special authorized_keys file, like this:
command="internal-sftp" chroot="/backup/client-1/data" ssh-rsa (key1)
command="internal-sftp" chroot="/backup/client-2/data" ssh-rsa (key2)
command="internal-sftp" chroot="/backup/client-3/data" ssh-rsa (key3)
etc...
The advantage of this would be that I would not need to use a separate user for every client, and I could easily autogenerate the authorized_keys file with a script.
There is just one problem: the chroot=...
does not work. OpenSSH's authorized_keys file does not seem to have an equivalent for ChrootDirectory (which works in /etc/ssh/sshd_config, either globally or in a Match User block).
Is there a reasonably simple way to accomplish what I want using OpenSSH? Maybe using the command=...
directive in a clever way?
Alternatively, are there other SFTP servers that can do what I want?
EDIT: To make it more clear what I want to achieve: I want several clients to be able to store files on my server. Each client should not be able to see any other client's files. And I do not want to litter my server with dozens of user accounts, so I'd like an easily manageable solution for the clients to share a user account and still have no access to eachother's files.
Best Answer
yes, you can use proftpd
Prepare user environment. With ProFTPD there is no need to give to user a valid shell.
In order to use OpenSSH public keys in a SFTPAuthorizedUserKeys, you must convert them to the RFC4716 format. You can do this with ssh-keygen tool:
Setup ProFTPD
Create DH (Diffie-Hellman ) group parameters.
Configure any SFTP client. I have used FileZilla
If you run ProFPTD in debug mode
In the console you will see something like the following
And the follwoing lines in a /var/log/sftp.log
P.S.
The configured path for a file containing authorized keys (SFTPAuthorizedUserKeys) can use the %u variable, which will be interpolated with the name of the user being authenticated. This feature supports having per-user files of authorized keys that reside in a central location, rather than requiring (or allowing) users to manage their own authorized keys. For example:
with ProFTPD it's possible too. You just need a little modify my initial configuration
And create one virtual account
That's all. For every additional account all you need is to add his public key to the /etc/proftpd/sftp_authorized_keys
Note: the file must contain new line in the end! It's important.