How to Setup SFTP

1. How to Setup SFTP

Let's assume the ssh username is `dev`

Open sshd_config

vim /etc/ssh/sshd_config

Then add

Match User dev
    ForceCommand internal-sftp
    PasswordAuthentication yes
    PermitTunnel no
    ChrootDirectory /var/www
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no

Create user dev

sudo useradd -m dev -g www-data -d /var/www/html/dev

Setup permissions

chown root:root /var/www

Setup dev's password

sudo passwd dev

2. Allow Both SFTP and SSH (Optional)

If you want to allow both SFTP and SSH access, open sshd_config:

vim /etc/ssh/sshd_config

Then comment out this line:

ForceCommand internal-sftp

So, it will look like this:

#ForceCommand internal-sftp

Assuming we only assign the basic shell (sh)

We can use busybox

sudo apt install -y busybox

Create some folders

mkdir -p /var/www/{bin,lib,lib64}

Install busybox dependencies

First, print all of its dependencies

ldd /bin/busybox

Then copy all of its dependencies:

mkdir -p /var/www/lib/x86_64-linux-gnu /var/www/lib64
cp /lib/x86_64-linux-gnu/libresolv.so.2 /var/www/lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libc.so.6 /var/www/lib/x86_64-linux-gnu/
cp /lib64/ld-linux-x86-64.so.2 /var/www/lib64/

Copy busybox as the shell

cp /bin/sh /var/www/bin/sh

Then, install all necessary commands:

for cmd in $(busybox --list); do ln -s /bin/sh /var/www/bin/$cmd; done

Or, if you want to allow only particular commands, e.g. ls and cp, run these:

ln -s /bin/sh /var/www/bin/ls
ln -s /bin/sh /var/www/bin/cp

3. Install PHP v7.4 to chrooted environment (Optional)

# Install build dependencies
sudo apt install build-essential autoconf bison re2c libxml2-dev libssl-dev libcurl4-openssl-dev libsqlite3-dev

# Download PHP 7.4 source
wget https://www.php.net/distributions/php-7.4.33.tar.gz
tar -xzf php-7.4.33.tar.gz
cd php-7.4.33

# Configure static build
./configure --prefix=/opt/php74-static \
            --disable-all \
            --enable-json \
            --enable-phar \
            --enable-cli \
            --enable-static \
            --enable-mbstring \
            --with-curl \
            --with-openssl \
            --enable-posix \
            --enable-pcntl \
            --enable-ctype \
            --enable-filter \
            --enable-zlib \
            --enable-simplexml \
            --with-iconv \
            --enable-session \
            --enable-hash \
            --enable-exif \
            --enable-zip \
            --with-readline \
            --without-shared-libs

make -j$(nproc)
make install

Now, copy the static php

mkdir -p /var/www/usr/bin
cp /opt/php74-static/bin/php /var/www/usr/bin/php

Copy all dependencies:

mkdir -p /var/www/lib/x86_64-linux-gnu /var/www/lib64
cp /lib/x86_64-linux-gnu/libm.so.6 /var/www/lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libc.so.6 /var/www/lib/x86_64-linux-gnu/
cp /lib64/ld-linux-x86-64.so.2 /var/www/lib64/

4. Install WP-CLI to chrooted environment (Optional)

Download and copy wp-cli:

curl https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar -o /usr/local/bin/wp
chmod +x /usr/local/bin/wp
cp /usr/local/bin/wp /var/www/bin/

Copy env:

cp /usr/bin/env /var/www/usr/bin/

Copy /dev/null:

mknod -m 666 /var/www/dev/null c 1 3

Prepare /tmp folder to be used by wp-cli:

mkdir -p /var/www/tmp
chmod 1755 /var/www/tmp

budiantoip/How to Setup SFTP.md