OpenSSHd SFTP w/ Upload Only account (no patching required)

[Squirrelington]

A brief summary of why I was attempting to do this, the pitfalls I experienced and how I overcame the obstacles.

 

The department I work in at the company I am employed frequently has a need to upload data from a customers system but also sometimes needs to be able to give login credentials to another external entity (such as a local IT professional) to upload data. Ultimately we wanted to have a single user for the purpose of uploading data but was secure in the fact that other users using this login couldn't download each others data before it was removed from the server by us.

 

For the past year we have been using ProFTPd to achieve this functionality and it had been working fine up until recently. It now seemingly randomly stops accepting new connections and I was getting frustrated. Initially when I setup the server I had attempted to use OpenSSHd's internal-sftp and /usr/lib/sftp-server to achieve what I wanted to do using a combination of chroot and umask but ultimately fell flat. Umask left us with the user able to create directories and not enter them unless I allowed a umask that gave permissions i was trying to restrict and it also didn't stop a user from chmodding in their sftp client. Searching google left me with tons of answers, none of them fit exactly what we were trying to do unless we patched opensshd and recompiled, something I was attempting to avoid for the sake of ease of maintenance (updating with apt-get rather than manually compiling in patches each time a new version comes out).

 

I had finally figured out how to make this system work and it may seem relatively obvious but there was no info I could find on google for this, at least with the keywords I was trying, and hopefully this helps someone out.

 

---

 

First I added the users we will have in the system for SFTP.

adduser conversions

adduser uploadonly

 

For the conversions and uploadonly user

[Squirrelington]

I didn't really mention it up there but, for clarification, the conversions account is an account that can download and upload and we use that for employees only so we can transfer whatever and the uploadonly account is the limited one we usually use for just uploading and handing out to vendors and IT people.

[binaryzero]

glFTPD could've possibly done what you were trying to achieve.