sshd sftp chroot jail howto

Problem description:

You would like to jail users to their home directories and not allow shell access, only sftp access.

Solution:

SFTP chroot jail

1. Create a system group. Here I call it sftponly.

2. edit the sshd_config file, usually residing in /etc/ssh/sshd_config
(in weird opensuse it’s in /usr/etc/sshd/ )
and append (it needs to be appended at the end):

and restart sshd.

PasswordAuthentication No means, users can only login with their ssh key, no passwords allowed.

3. create the skeleton structure for each new user

we create .ssh htdocs and log dirs.

4. add a user and chown its home directory to root:root and set the login shell to nologin.
Also add this user to the sftponly group and set proper access octals.
On Rocky 9 it’s in /usr/sbin/nologin .

5. add the client’s ed25519 public key to /home/username/.ssh/authorized_keys

Where AAAA… is replaced by the actual public key from the client’s machine.
Check your /home/username/.ssh/id_ed25519.pub file or that of your customer/friend/etc.

And that’s it.
Yes, that’s all there is to it.

The user will be able to transfer files via SFTP in the sub directories you created in step 3, but not write or create directories in the root directory.

I will have to get rid of Google Chrome

They introduced “Google Search side panel”.
There is no way I can get rid of it.
There have been various solutions on the net, but none work, not even extensions work.

I don’t want search to open in a side panel.
I want it in a new tab, where I can see the address bar and have full width.

Every topic created on their support forum is closed.

I’ll have to migrate all my passwords to Firefox Sync.
Bookmark migration is not a big deal.
And finally replace Chrome on the phone too with Firefox, despite its call of features.

Google don’t fuck my with search experience, or I’ll get rid of you completely.
Those small Adsense amounts are not worth the trouble with your spying, annoying, racist against stragith white males company.

Heise Nagscreen blocken mit uBlock Origin

Diese 2 Zeilen blocken aktuell das Cookie/Pur Abo Modal und entfernen den Scroll-lock, so dass man wieder runter- und hochscrollen kann.

Copy large qcow2 image via rsync between 2 servers

Problem:
Very large (400GB+) .qcow2 file that needs to be copied from HostA to HostB, where HostB is behind an ISP that does 24 hour disconnection of the connection.
Also because other people live in that household that use TV streaming, the bandwidth consumed should be limited.
In this case I’m on a 100MBit/s connection, and I’ll limit the transfer speed to 4MB/s.

We will use rsync for this.

The command is simply,

sparse means, skip transfering zeroes or empty, unfilled data.
bwlimit=4000 means limit the transfer speed to 4000 kByte / second. aka 4Mbps.
info=progress2 shows a prettier progress than just --progress
partial and append-verify allows us the resume the transfer one the 24 hour disconnection kicks in, without needing to start from the beginning. It also verifies the transferred.