Can you have virtual users using an SFTP server?

Question

I've had a FTP server (Mac OS X, but not the server version) set up for a while where the users are virtual, i.e. they are not actual user accounts in the server's OS, but accounts handled by the FTP server software -- to the OS they all look like the ftp user account. I'd like to retire the FTP server software and go SFTP instead.

Is there a way to set up SFTP/SSH so that I can create virtual users and at the same time sandbox them?

The reason I want virtual users is because I add and remove accounts from time to time, and doing that with proper user accounts tend to get messy, and I don't know of a good way to sandbox them. There's always some files left and each user has their own user directory (with a lot of files only relevant if they would actually log on to the machine when sitting in front of it), which is quarantined when the account is removed, so you have to remove it by hand yourself, and so on.

Answer 1

I have successfully followed this paper to set up an SFTP-jail which will sandbox your users.

http://www.minstrel.org.uk/papers/sftp/

Answer 2

The usual generic Unix answer to this is 'PAM'. If you want plain old OpenSSH SSHD to handle your SFTP, you need something plugged in to SSHD's PAM stack (/etc/pam.d/sshd) that does what you need and leaves out what you don't need. This might be a general-purpose directory server (probably LDAP) that maps all your virtual users to one home directory and gives them a restricted or scponly kind of shell.

If you want to look at FTP servers that can also do SFTP, a bit of googling suggests that Pure-ftpd might be interesting to play with.

http://www.bsdguides.org/guides/freebsd/networking/pure-ftpd_virtual_users.php

Answer 3

On Windows you can certainly do this with the CompleteFTP server. It supports FTP, FTPS, SFTP and SCP.