create chroot sftp server in linux with ssh key connection

Steps for creating a chroot sftp server in a linux server with ssh key login. The sftp user will be locked in jail in the sftp folder. In other words, the sftp user will only be able to access the sftp folder.
Warning: If this is done incorrectly, it’s possible you will be locked out of your server. For safety, create a user with root access and make sure you can login with root access to your remote server using password login before proceed to the following.

1. Create SSH key on your local machine. It could be a laptop, a linux desktop or a linux server, the client server that will be using the ssh key file to login to the sftp server.
Make the .ssh directory if it doesn’t exist yet and cd into it.
Generate rsa private and public key, when asked for rsa file name and password, just enter to skip it or enter a filename and a password you prefer. If a password is entered, it will promot for password when making connections using this key file.
Print the content of the id_rsa.pub out and copy it. It will be copied to the file authorized_users in the .ssh folder of the sftp user’s home directory on the sftp server.

mkdir ~/.ssh
cd ~/.ssh
ssh-keygen -t rsa -b 4096 -C "my_sftp_rsa"
cat id_rsa.pub

2. Add a group to house sftp users. Step 2 through step7 are performed on the remote server.

sudo groupadd sftpusers

3. Create a sftp user with username sftpuser2 and add it to the sftpusers group.
Make /sftpuser2 the home direcoty for this user.
Give no shell login access to this user.

sudo useradd -g sftpusers -d /sftpuser2 -s /sbin/nologin sftpuser2

4. Create folders and add appropriate ownership and permissions for the sftp users.
/public/sftp will be the folder to house individual sftp folders.
/public/sftp/sftpuser2/ will be the chroot folder for sftpuser2, everything in this folder will be accessable by sftpuser2.
/public/sftp/sftpuser2/sftpuser2/ will be the home folder for sftpuser2.

mkdir /public/sftp/
mkdir /public/sftp/sftpuser2/
mkdir /public/sftp/sftpuser2/sftpuser2/
sudo chown root:sftpusers /public/sftp/
sudo chown root:sftpusers /public/sftp/sftpuser2/
sudo chown sftpuser2:sftpusers /public/sftp/sftpuser2/sftpuser2/
sudo chmod -R 755 /public/sftp/

5. Add the rsa public key string from the id_rsa.pub created in step 1 on your local machine to the the file authorized_keys.
Make /sftpuser2/ to be readable and executable for all users.
Change directory to /sftpuser2/ and create a .ssh folder, change the ownership to sftpuser2 and group to sftpusers.
Use vim or other text editor to create the file authorized_keys and paste the public rsa key string from the id_rsa.pub created in step 1 on your local machine.
Again, change the ownership to sftpuser2 and group to sftpusers for the file authorized_users.
Make it readable and writable only by sftpuser2

sudo chmod 755 /sftpuser2/
cd /sftpuser2/
sudo mkdir .ssh
sudo chown sftpuser2:sftpusers .ssh
cd .ssh
sudo vim authorized_keys
sudo chown sftpuser2:sftpusers authorized_keys
sudo chmod 600 authorized_keys

6. Edit /etc/ssh/sshd_config
Find the line starts with Subsystem, comment it out and replace it with this line.

Subsystem sftp internal-sftp

In the same file /etc/ssh/sshd_config, add these at the end.

Match Group sftpusers
    ChrootDirectory /public/sftp/%u
    ForceCommand internal-sftp

In the same file /etc/ssh/sshd_config, this should set to no for ssh key connection only. If you want to be able to connect to the server both with password and ssh key authentication, then make sure PasswordAuthentication is set to yes like this.

PasswordAuthentication yes

7. Restart sshd and logout.

sudo service sshd restart

8. sftp into the sftp server or using a sftp client such as Filezilla or CycberDuck.
Use your server domain if your remote server has a domain name, else juse use the ip address of the server.

sftp -i ~/.ssh/id_rsa sftpuser2@myremoteserver.com

Search within Codexpedia

Custom Search

Search the entire web

Custom Search