=======================================
freebsd sftp
=======================================

setup sftp site for user with NO shell access
allow ssh keys only
enable logging for sftp transfers


=======================================
/etc/rc.conf
---------------------------------------

sshd_enable="YES"
syslogd_flags="-s -l /export/sftp/susan/dev/log -l /export/sftp/david/dev/log"


=======================================
/etc/ssh/sshd_config
---------------------------------------

PermitRootLogin no
PubkeyAuthentication no
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication no
X11Forwarding no
UsePAM no
UseDNS no

Subsystem       sftp    /usr/libexec/sftp-server

Match Group sftponly
        PubkeyAuthentication yes
        ChrootDirectory %h
        ForceCommand internal-sftp -f AUTH -l INFO


=======================================
setup sftp structure
---------------------------------------

# create sftp group
pw groupadd -n sftponly -g 40001

# create zpool
zpool create \
-O compression=zstd -O checksum=sha512 -O atime=on \
-o autoexpand=off -o autoreplace=on -o failmode=continue -o listsnaps=off \
-m /export tank /dev/da1

# create zfs /export/sftp
zfs create tank/sftp


=======================================
setup sftp site and user
---------------------------------------

# create zfs /export/sftp/susan
zfs create tank/sftp/susan

# create sftp user
pw useradd -n susan -u 40001 -g 40001 -c "SFTP USER Susan Day" -d /export/sftp/susan -s /usr/sbin/nologin -C /dev/null

mkdir /export/sftp/susan/dev
chown -R root:wheel /export/sftp/susan
chmod -R 755 /export/sftp/susan

mkdir /export/sftp/susan/files
chown susan:sftponly /export/sftp/susan/files
chmod 2775 /export/sftp/susan/files

# restart syslogd
service syslogd restart

# restart sshd
service sshd restart


=======================================
install ssh keys for sftp user
---------------------------------------

mkdir /export/sftp/susan/.ssh

ssh-keygen -t rsa -b 4096 -C "susan@example.com"
> Generating public/private rsa key pair.
> Enter a file in which to save the key (/export/sftp/susan/.ssh/id_rsa):[Press enter]
> Enter passphrase (empty for no passphrase): [Type a passphrase]
> Enter same passphrase again: [Type passphrase again]

# append the public key to authorized_keys
cat /export/sftp/susan/.ssh/id_rsa.pub >> /export/sftp/susan/.ssh/authorized_keys

chown -R susan:sftponly /export/sftp/susan/.ssh

chmod 600 /export/sftp/susan/.ssh/*

chmod 400 /export/sftp/susan/.ssh/id_rsa

# give susan the private key /export/sftp/susan/.ssh/id_rsa to use to connect to the server


=======================================
setup ipfw & fail2ban
---------------------------------------

https://www.genunix.com/o1/freebsd_ipfw.txt
https://www.genunix.com/o1/freebsd_fail2ban.txt


=======================================
remove sftp site and user
---------------------------------------

pw user del -n susan
zfs destroy -f -r tank/sftp/susan
# remove susan from /etc/rc.conf


=======================================
:0)
=======================================