GitLab

Add the Option to create an SFTP User instead of having to run pure-ftpd and use this age-old protocol. FTP/S is an OK'ish workaround for secure transmission of data, but having the option to use SFTP for file transfer uploads would be much better.

SFTP could be used via an addition to the OpenSSH server configuration by adding an option set for a specific group or groups (e.g. sftponly) to force those upload account to only be used for SFTP and not provide a login shell.

As the "webXY" users already exist and point to a directory (/var/www/clients/clientXX/webXY) that is owned by root:root, the requirements for SFTP chrooting are already given. Those SFTP accounts could be created just like the Shell Users function with the exceptions given above.

The following snippet would provide a safe chroot environment

# SFTP Only Users
Match Group sftponly
     X11Forwarding no
     AllowTcpForwarding no
     ChrootDirectory %h
     ForceCommand internal-sftp

A user (e.g. sftp19_webspace) would just get its homedir (e.g. /var/www/clients/client5/web19) without providing a shell (in /etc/passwd) and would get sftp-only as group so to force the chroot active.