SFTP is considered more a secure alternative to FTP and FTPS. The FTP server is needed as the native SSH server is used instead, and SSH does not require an SSL certificate. One drawback is the default configuration of SFTP does not restrict access to the user’s home directory. A chroot’ed setup can easily be configure and incorporated with Virtualmin.
Create sftponly group
addgroup --gid 900 sftponly
Create chroot directories
mkdir -p /home/chroot/bin
Virtualmin chroot setup script
cat > /home/chroot/bin/chroot.sh <<EOF
#!/bin/bash
if [ ! "\$VIRTUALSERVER_PARENT" ]
then
if [ "\$VIRTUALSERVER_ACTION" == "CREATE_DOMAIN" ]
then
if [ ! "\$VIRTUALSERVER_CREATED" ]
then
mkdir -p /home/chroot/\$VIRTUALSERVER_USER/home
else
echo "Setting up \$VIRTUALSERVER_USER to chroot'ed environment for sftp"
usermod -d /home/\$VIRTUALSERVER_USER \$VIRTUALSERVER_USER
ln -s \$VIRTUALSERVER_HOME /home
echo " .. done"
fi
elif [ "\$VIRTUALSERVER_ACTION" == "DELETE_DOMAIN" ]
then
if [ "\$VIRTUALSERVER_CREATED" ]
then
echo "Cleaning up \$VIRTUALSERVER_USER's chroot'ed environment"
rm -rf /home/chroot/\$VIRTUALSERVER_USER /home/\$VIRTUALSERVER_USER
echo " .. done"
fi
fi
fi
EOF
chmod 755 /home/chroot/bin/chroot.sh
Modify ssh server
cat >> /etc/ssh/sshd_config <<EOF
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory /home/chroot/%u
ForceCommand internal-sftp
AllowTcpForwarding no
Match all
EOF
Restart SSH Server
service ssh restart
Virtualmin Configuration Changes
Virtualmin -> System Settings -> Virtualmin Configuration -> Defaults for new domains -> Home directory base:
/home/chroot/${USER}/home
Virtualmin -> System Settings -> Virtualmin Configuration -> Defaults for new domains -> Home subdirectory:
${USER}
Virtualmin -> System Settings -> Virtualmin Configuration ->Actions upon server and user creation -> Command to run before making changes to a server:
/home/chroot/bin/chroot.sh
Virtualmin -> System Settings -> Virtualmin Configuration ->Actions upon server and user creation -> Command to run after making changes to a server:
/home/chroot/bin/chroot.sh
Enforcing SFTP only access on a user
usermod -a -G sftponly <username>