## Users with sftp access without ssh access (for file hosting)

1. Do one time setup

    $ doas mkdir /var/www/OrangeShare/
    $ doas groupadd sftponly


Edit your httpd config to set "/OrangeShare" as the root location.

Add this into sshd_config

    Subsystem       sftp    internal-sftp
    Match Group sftponly
      PasswordAuthentication yes
      ForceCommand internal-sftp
      ChrootDirectory /var/www/OrangeShare/%25u
      AllowTcpForwarding no
      AllowAgentForwarding    no
      PermitTunnel    no
      PermitTTY       no
      X11Forwarding   no


Save script for adding new user

    #!/bin/ksh
    # add user
    doas adduser
    # add user to sftponly group, otherwise they will have full ssh access
    doas usermod -g sftponly $1
    # make user's directory
    doas mkdir /var/www/OrangeShare/$1
    doas mkdir /var/www/OrangeShare/$1/pub
    doas chown $1:$1 /var/www/OrangeShare/$1/pub
    # set the user's password
    doas passwd $1


2. For each new user 

 $ ksh newuser.sh usernameHere

 Then email to the user their credentials, from either your personal email or from your team email if it has one.

----

Sources:

    http://undeadly.org/cgi?action=article&sid=20080220110039
    https://man.openbsd.org/sftp-server
    https://unix.stackexchange.com/questions/503312/is-it-possible-to-grant-users-sftp-access-without-shell-access-if-yes-how-is-i


## To change sftp accessed directory from /home/USER to /var/www/htdocs/USER