Prequisite : a running ssh server.

Below are the steps to chroot sftp-only ssh users. All users who belong to the group ‘sftp-users’ (for example a user named ‘john’) can only use sftp ssh (no shell allowed) and will be chrooted to their home when using the sftp ssh. In each user home directory, a writeable subdirectory named ‘uploads’ is created to allow user to upload files.

Step 1 : create the group ‘sftp-users’, the user ‘john’ belonging to this group, and the needed directories.

sudo groupadd sftp-users
sudo adduser john
sudo rm /home/john/*.*
#sudo useradd -G sftp-users -s /bin/false john --password
sudo usermod -G sftp-users -s /bin/false john
sudo chown -R root:root /home/john
sudo chmod -R 755 /home/john
sudo mkdir /home/john/uploads
sudo chown john:sftp-users /home/john/uploads
sudo chmod ug+rwX /home/john/uploads

Step 2 : modifiy the /etc/ssh/sshd_config file to chroot sftp only for the group ‘sftp-users’

Activate the internal sftp

Subsystem sftp internal-sftp

Add at the end of the file the following lines :

Match Group sftp-users
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
Match

Step 3 : test the chrooted sftp-only user after restarting the ssh server

service ssh restart
sftp john@localhost
Print Friendly, PDF & Email