create chroot sftp server in linux
Steps for creating a chroot sftp server in a linux server. The sftp user will be locked in jail in the sftp folder. In other words, the sftp user will only be able to access the sftp folder.
Warning: If this is done incorrectly, it’s possible you will be locked out of your server. For safety, create a user with root access and make sure you can login with root access to your remote server using password login before proceed to the following.
1. Add a group to house sftp users. Step 1 through step 5 are performed on the remote server.
sudo groupadd sftpusers
2. Create a sftp user with username sftpuser1 and add it to the sftpusers group.
Make /sftpuser1 the home direcoty for this user. This /sftpuser1 is in the chroot folder, not the system root /
Give no shell login access to this user.
Set a password for the user sftpuser1.
sudo useradd -g sftpusers -d /sftpuser1 -s /sbin/nologin sftpuser1 sudo passwd sftpuser1
3. Create folders and add appropriate ownership and permissions for the sftp users.
/public/sftp will be the folder to house individual sftp folders.
/public/sftp/sftpuser1/ will be the chroot folder for sftpuser1, everything in this folder will be accessable by sftpuser1.
/public/sftp/sftpuser1/sftpuser1/ will be the home folder for sftpuser1.
sudo mkdir /public/sftp/ sudo mkdir /public/sftp/sftpuser1/ sudo mkdir /public/sftp/sftpuser1/sftpuser1/ sudo chown root:sftpusers /public/sftp/ sudo chown root:sftpusers /public/sftp/sftpuser1/ sudo chown sftpuser1:sftpusers /public/sftp/sftpuser1/sftpuser1/ sudo chmod -R 755 /public/sftp/
4. Edit /etc/ssh/sshd_config
Find the line starts with Subsystem, comment it out and replace it with this line.
Subsystem sftp internal-sftp
In the same file /etc/ssh/sshd_config, add these at the end.
Match Group sftpusers ChrootDirectory /public/sftp/%u ForceCommand internal-sftp
In the same file /etc/ssh/sshd_config, make sure PasswordAuthentication is set to yes like this.
PasswordAuthentication yes
5. Restart sshd and logout.
sudo service sshd restart
6. sftp into the sftp server or using a sftp client such as Filezilla or CycberDuck.
Use your server domain if there is a domain for your server, else juse use the ip address of the server.
sftp sftpuser1@yourserver.com
Search within Codexpedia
Search the entire web