[Updated: see http://www.codefu.org/weblogs/darkness/archives/000165.html#000165 for an update on this entry.]
Here’s my recipe for SFTP only accounts. I haven’t actually tested this.
Make the user. Generate a key for them. Copy their public key to
authorized_keys. Slap something like
command="/usr/libexec/openssh/chroot-sftp-server",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding
to the beginning of the first line. chown their home directory
and everything in it to root (or some other user they don’t have
access to). This is necessary so they can’t write to things like
.ssh/authorized_keys, .bashrc, etc. Make sure that the home
directory and all important files (including .ssh/authorized_keys)
is readable by the user and not just root. Set the user’s shell to
/usr/libexec/openssh/chroot-sftp-server. (I don’t recommend
adding this to /etc/shells as I don’t think it’s necessary.) But
wait, you don’t have this file, do you? Check out
http://chrootssh.sourceforge.net/ or maybe
http://mail.incredimail.com/howto/openssh/addons/. Just build a
separate SFTP server. I suspect you’ll also need to modify something
in sshd_config to make everyone use this new SFTP server, but
maybe not; setting command=... in the key might be enough to do
it. Using the patch from the second link above I believe you could
set the user’s home directory to /some/path/./theroot and they’d
get chrooted into /some/path/theroot. (This is similar to the
method wu-ftpd uses, IIRC.) Now distribute the SSH private key to
everyone that needs access to the account. No password necessary, and
I’d probably avoid setting one. Also, I note the second patch above
uses the HOME environment variable which is probably a mistake.
It would be trivial to use getpwuid to get the home directory.
A few more links I had open: