I have a server which enables some users of my services to upload files using SFTP. When I talk about users, I can neither be sure who they are nor how many have access.
I have set up the access as follows:
- SFTP (SSH) access with username and password:
PasswordAuthentication yes
. - Users belong to the group
sftp
which is forced to useinternal-sftp
. - Login is sandboxed to
ChrootDirectory %h
which is/srv/sftp/incoming
. - Login Shell is
/bin/false
.
Is there anything else I can do to secure an SFTP access for a such a range of users?
The machine runs ArchLinux. Webserver is nginx
but the files in /srv/sftp/incoming
are not served by the webserver. It's just for internal use.
Best Answer
You can set-up SSH keys to every user, so they have to use private key to get access to SFTP server. Let clients generate private and public key by themselves and let them send public key to you, so you can add it to
~/.ssh/authorized_keys
file.You can generate private and public key ofcourse by yourself but that means you need to send private key to client somehow, what makes it unsecure.
When key's are set-up you can disable password login at
/etc/ssh/sshd_config
so they have to use private key to get access to server.