in linux, security

Restricting Users To SFTP (Chrooted SFTP)

I will use the user chrooteduser here with the directory /home/chrooteduser. The user chrooteduser belongs to the group users. I want to chroot the user to the /home/chrooteduser directory.

Enabling Chrooted SFTP

Enabling SFTP is very easy. Open /etc/ssh/sshd_config

$vi /etc/ssh/sshd_config

… and make sure you have the following line in it

[...] 

Subsystem sftp internal-sftp 

[...]

Then add the following stanza at the end of the file (add such a stanza for each user that you want to chroot):

[...]
Match User chrooteduser
      ChrootDirectory /home/chrooteduser
      AllowTCPForwarding no
      X11Forwarding no
      ForceCommand internal-sftp
####
Note:
Instead of adding a stanza for each user, you can also chroot groups, e.g. as follows:

[...]
Match Group users
      ChrootDirectory /home
      AllowTCPForwarding no
      X11Forwarding no
      ForceCommand internal-sftp

#This would chroot all members of the users group to the /home directory.
Please note that all components of the pathname in the ChrootDirectory directive must be root-owned directories that are not writable by any other user or group (see man 5 sshd_config).

Restart OpenSSH:

/etc/init.d/ssh restart

or

service ssh restart

 

Now, you can log in with an SFTP client, such as FileZilla