create chroot sftp server in linux
Steps for creating a chroot sftp server in a linux server. The sftp user will be locked in jail in the sftp folder. In other words, the sftp user will only be able to access the sftp folder.
Warning: If this is done incorrectly, it’s possible you will be locked out of your server. For safety, create a user with root access and make sure you can login with root access to your remote server using password login before proceed to the following.
1. Add a group to house sftp users. Step 1 through step 5 are performed on the remote server.
[code language=”shell”]
sudo groupadd sftpusers
[/code]
2. Create a sftp user with username sftpuser1 and add it to the sftpusers group.
Make /sftpuser1 the home direcoty for this user. This /sftpuser1 is in the chroot folder, not the system root /
Give no shell login access to this user.
Set a password for the user sftpuser1.
[code language=”shell”]
sudo useradd -g sftpusers -d /sftpuser1 -s /sbin/nologin sftpuser1
sudo passwd sftpuser1
[/code]
3. Create folders and add appropriate ownership and permissions for the sftp users.
/public/sftp will be the folder to house individual sftp folders.
/public/sftp/sftpuser1/ will be the chroot folder for sftpuser1, everything in this folder will be accessable by sftpuser1.
/public/sftp/sftpuser1/sftpuser1/ will be the home folder for sftpuser1.
[code language=”shell”]
sudo mkdir /public/sftp/
sudo mkdir /public/sftp/sftpuser1/
sudo mkdir /public/sftp/sftpuser1/sftpuser1/
sudo chown root:sftpusers /public/sftp/
sudo chown root:sftpusers /public/sftp/sftpuser1/
sudo chown sftpuser1:sftpusers /public/sftp/sftpuser1/sftpuser1/
sudo chmod -R 755 /public/sftp/
[/code]
4. Edit /etc/ssh/sshd_config
Find the line starts with Subsystem, comment it out and replace it with this line.
[code language=”shell”]
Subsystem sftp internal-sftp
[/code]
In the same file /etc/ssh/sshd_config, add these at the end.
[code language=”shell”]
Match Group sftpusers
ChrootDirectory /public/sftp/%u
ForceCommand internal-sftp
[/code]
In the same file /etc/ssh/sshd_config, make sure PasswordAuthentication is set to yes like this.
[code language=”shell”]
PasswordAuthentication yes
[/code]
5. Restart sshd and logout.
[code language=”shell”]
sudo service sshd restart
[/code]
6. sftp into the sftp server or using a sftp client such as Filezilla or CycberDuck.
Use your server domain if there is a domain for your server, else juse use the ip address of the server.
[code language=”shell”]
sftp sftpuser1@yourserver.com
[/code]
Search within Codexpedia
Search the entire web