FreeBSD sFTP SSHD chroot nologin

There are situations when you have a nice server out there, and you want/need someone to upload important files, but you only want to give them a minimal access to the system. You can use SSHD with sFTP and /sbin/nologin shell for that in chroot environment (dedicated limited userspace). Note that SCP in fact requires a working shell, so you need to use sFTP in this case..

Create a new user account with existing ftp group and /sbin/nologin shell:

# adduser

Alternatively you can modify an existing account to share:

# pw groupmod ftp -m username
# pw usermod username -s /sbin/nologin

You need to set correct permissions to the user home directory and public directory inside for upload:

# chown root:wheel /home/username
# mkdir /home/username/public
# chown username:ftp /home/username/public

Now modify the SSHD server configuration file /etc/ssh/sshd_config and append:

Match Group ftp
        ChrootDirectory         /home/%u
        ForceCommand            internal-sftp
        AllowTcpForwarding      no
        PermitTunnel            no
        X11Forwarding           no

Remember to restart the SSHD in order to apply new configuration:

# service sshd restart

Once the account is not necessary anymore remember to remove it:

# pw userdel username