Setting up sftp and user permissions

1 msg	Unstable wireless connection
6 msg	The big clean up
16 msg	no shorewall
11 msg	dbus-binding-tool: error while loading shared l...
3 msg	how list all emerged portages?
6 msg	AutoCad2000 on wine
27 msg	possible MBR corruption?
9 msg	dependencies from eclass and from ebuild
9 msg	Server Network Configuration
2 msg	dhcp connect problem
2 msg	[OT] xorg.conf gui editor
19 msg	About the expat update and such

Setting up sftp and user permissions
\ Mick (24 Aug 2007)
. \ Sean Johnson (24 Aug 2007)
. \ Alex Schuster (24 Aug 2007)

17 msg	Can't install Gentoo on Dell Inspiron 530
2 msg	removing old kernels from system
15 msg	i586 install
16 msg	blocking package isn't really there.
2 msg	Sony Vaio vgn fe21b screen output on vga
5 msg	'Treason uncloaked!' solution?
3 msg	wpa_supplicant issues

Subject:	Setting up sftp and user permissions
Group:	Gentoo-user
From:	Mick
Date:	24 Aug 2007

Hi All,

I have a desktop box which I am starting to use as a LAN server. I created a
new user and noticed that:

a) The new user is asked to login with passwd as opposed to pubkey. This is
surprising as (I thought) that I had set up sshd_config to allow pubkey
authentication only - need to check this again when I get home. Other than a
misconfigured sshd_config could it be anything else that causes this?

b) Once logged in via sftp the new user can read and access other users files.
This is because the default permission setting for /home/%u/ is 0644
(rw-r--r--). Is there a clever way of tightening this down without messing
up all home file and directory permissions indiscriminately?

I understand that there are many ways to skin a cat - in this case to contain
somewhat what a plain user can and cannot do when they log in via sftp. Some
ideas that I have across are to use a limited shell like rssh, use an ssh
chroot, modify the umask for user directories.

I am interested to find out what you might have tried and what you would
recommend.
--
Regards,
Mick