===== Configure a SFTP only user  =====

When somebody needs to transfer files to a server, it is often not desirable that that user has more privileges than minimal required for this task.\\
Often, this is actually an automated process between two well know servers.\\
OpenSSH has a built-in SFTP server that can easily be used for this purpose. \\
The following describes the configuration for an user that can only access the directory created for the purpose, needs a key to authenticate and can only connect from a specific IP address.\\

The following assumes:
  - server for the storage is myserver
  - share is SHARE
  - domain is myserver (the server itself, it's not in a domain)
  - SFTP user is remote-sftp
  - SFTP user's home is /SFTP/remote-sftp/storage

Create a file with the credentials:
<code bash>
cat > /root/myserver.crd
username=<user_name>
password=<password>
domain=<domain_name_or_server_name>
<ctrl-d>
</code>

Create the folder structure
<code bash>
mkdir /SFTP
mkdir /SFTP/remote-sftp
chown root:root /SFTP
chown root:root /SFTP/remote-sftp
chmod 0711 /SFTP
chmod 0755 /SFTP/remote-sftp
</code>

Create a user and a group with the same name, no login shell and set the home directory to the jail-rooted directory
Note the reported uid and gid - it is required for mounting the smb share with the right permissions
<code bash>
useradd --group --system --shell /bin/false -d /SFTP/remote-sftp remote-sftp
</code>

Create a mount point in /etc/fstab for a directory for the sftp user pointing to the storage (to ensure the server storage doesn't fill up)
In /etc/fstab add 

<code bash>
# //<server>/<share> /<dir>/<where_to_mount> cifs credentials=/root/<file_name_with_credentials>,uid=<uid_user>,gid=<gid_user>,file_mode=0660,dir_mode=0770 0 0
//myserver/SHARE /<dir>/<where_to_mount> cifs credentials=/root/<file_name_with_credentials>,uid=<uid_remote-sftp>,gid=<gid_remote-sftp>,file_mode=0660,dir_mode=0770 0 0
</code>

Create the "home" directory for the SFTP user
<code bash>
# mkdir -p /path/to/remote-sftp-storage/storage
mkdir /SFTP/remote-sftp/storage
# change the owner and file permissions for the user
chown remote-sftp:remote-sftp /SFTP/remote-sftp/storage
# change the file permissions for the user to read and write (no execute)
chmod 0660 /SFTP/remote-sftp/storage
</code>

Modify /etc/ssh/sshd_config, add

<code>
# deny access if the ip address is not the expected server
Match User remote-sftp, Address !<ip address>
     PasswordAuthentication no
     PubkeyAuthentication no

# allow key auth if ip address is right
Match User remote-sftp, Address <ip address>
     PasswordAuthentication no
     PubkeyAuthentication yes
     ChrootDirectory /SFTP/remote-sftp
     X11Forwarding no
     AllowTcpForwarding no
     ForceCommand internal-sftp -l VERBOSE -f LOCAL0
</code>



Generate the keys with the putty tool ssh-keygen
<code dos>
# ssh-keygen -t rsa -C "remote-sftp@myserver" -f "<directory>\<file_name_for_the_key>"
ssh-keygen -t rsa -C "remote-sftp@myserver" -f C:\Keystore\id_rsa
</code>

On the SFTP server, copy id_rsa.pub to the directory .ssh in the home directory of the user (remote-sftp)
Add the public key (id_rsa.pub) to authorized_keys (in .ssh in the homedirectory)

<code bash>
cd /SFTP/remote-sftp/.ssh
cat id_rsa.pub >> authorized_keys
</code>

Give the key (id_rsa) to the SFTP client. 

Install a script that moves the content from/ to the SFTP user's directory.