### SFTP setup

```
# groupadd ht
# echo "Ce compte n'est accessible qu'en SFTP, pas en SSH.
This account is only available over SFTP, not over SSH." > /etc/nologin.txt
# ssh-keygen -q -N "" -t ed25519 -f /etc/ssh/keys/ed25519
# ssh-keygen -q -N "" -t rsa -b 3072 -f /etc/ssh/keys/rsa-3072
# awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
# mv /etc/ssh/moduli.safe /etc/ssh/moduli
```

To get the ASCII art and SHA-256 fingerprints:
```
# ssh-keygen -vlf /etc/ssh/keys/ed25519.pub
# ssh-keygen -vlf /etc/ssh/keys/rsa-3072.pub
```

To generate SSHFP records:
```
# ssh-keygen -r sftp.niver.4.niv.re -f /etc/ssh/ed25519.pub
# ssh-keygen -r sftp.niver.4.niv.re -f /etc/ssh/rsa-3072.pub
```
Don't use the first record, which is SHA-1, use the second, which is SHA-256.
`SSHFP <pkey-algorithm> <hash-algorithm> <fingerprint>`
For `pkey-algorithm`:
* `1` means RSA
* `2` means DSA (must not be used)
* `3` means ECDSA (should not be used)
* `4` means Ed25519
For `hash-algorithm`:
* `1` means SHA-1 (must not be used)
* `2` means SHA-256