SFTP/SCP without shell access on Debian

You know how it is: you're hosting some creaky mass of PHP and SSIs on your box for historical/hysterical reasons, the site requires some kind of FTP access for its admin to edit it, and you'd rather not give them an SSH login with which to do arbitrary stuff on your machine.

For the last couple of years, I've used scponly (this guide) to achieve roughly the right effect, but having an essentally unmaintained chroot on my box slowly collecting security vulnerabilities felt wrong. Surely it must be possible to provide secure FTP to users without using SSH at all, and without having to maintain a chroot?

Indeeed it is. ProFTPD is a well-recognised FTP server and has a handy SFTP module, and both are conveniently packaged for Debian:

# apt-get install proftpd-basic

The documentation is pretty good; it enabled me to arrive at the config below (suck it into the main one using an include for ease of maintenance) with just the one diversion to work out why my WinSCP wouldn't talk to it (see the protocol switching line below). In WinSCP's defence, I am using a pretty ancient version.

# Use SFTP with the same keys as SSH
# http://www.proftpd.org/docs/contrib/mod_sftp.html
SFTPEngine on
SFTPLog /var/log/proftpd/sftp.log

SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key

# Enable compression
SFTPCompression delayed

# Workaround for WinSCP bug: http://winscp.net/forum/viewtopic.php?t=8121
SFTPClientMatch ".*WinSCP.*" sftpProtocolVersion 4

# Allow the same number of authentication attempts as OpenSSH.
# It is recommended that you explicitly configure MaxLoginAttempts
# for your SSH2/SFTP instance to be higher than the normal
# MaxLoginAttempts value for FTP, as there are more ways to authenticate
# using SSH2.
MaxLoginAttempts 6

# Only allow specifically whitelisted users (members of the ftp group)
# http://www.proftpd.org/docs/howto/Limit.html

 AllowGroup ftp

Just make sure your users are in the ftp group, but not able to log in through SSHD.

Of course, with either solution you still have to worry about scripts and PHP executed by your user's website being able to see the full filesystem of the machine, but mod_chroot and mod_suexec for Apache are both well documented and also Debian packaged.