create chroot sftp server in linux

Steps for creating a chroot sftp server in a linux server. The sftp user will be locked in jail in the sftp folder. In other words, the sftp user will only be able to access the sftp folder.
Warning: If this is done incorrectly, it’s possible you will be locked out of your server. For safety, create a user with root access and make sure you can login with root access to your remote server using password login before proceed to the following.

1. Add a group to house sftp users. Step 1 through step 5 are performed on the remote server.

sudo groupadd sftpusers

2. Create a sftp user with username sftpuser1 and add it to the sftpusers group.
Make /sftpuser1 the home direcoty for this user. This /sftpuser1 is in the chroot folder, not the system root /
Give no shell login access to this user.
Set a password for the user sftpuser1.

sudo useradd -g sftpusers -d /sftpuser1 -s /sbin/nologin sftpuser1
sudo passwd sftpuser1

3. Create folders and add appropriate ownership and permissions for the sftp users.
/public/sftp will be the folder to house individual sftp folders.
/public/sftp/sftpuser1/ will be the chroot folder for sftpuser1, everything in this folder will be accessable by sftpuser1.
/public/sftp/sftpuser1/sftpuser1/ will be the home folder for sftpuser1.

sudo mkdir /public/sftp/
sudo mkdir /public/sftp/sftpuser1/
sudo mkdir /public/sftp/sftpuser1/sftpuser1/
sudo chown root:sftpusers /public/sftp/
sudo chown root:sftpusers /public/sftp/sftpuser1/
sudo chown sftpuser1:sftpusers /public/sftp/sftpuser1/sftpuser1/
sudo chmod -R 755 /public/sftp/

4. Edit /etc/ssh/sshd_config
Find the line starts with Subsystem, comment it out and replace it with this line.

Subsystem sftp internal-sftp

In the same file /etc/ssh/sshd_config, add these at the end.

Match Group sftpusers
    ChrootDirectory /public/sftp/%u
    ForceCommand internal-sftp

In the same file /etc/ssh/sshd_config, make sure PasswordAuthentication is set to yes like this.

PasswordAuthentication yes

5. Restart sshd and logout.

sudo service sshd restart

6. sftp into the sftp server or using a sftp client such as Filezilla or CycberDuck.
Use your server domain if there is a domain for your server, else juse use the ip address of the server.


Search within Codexpedia

Custom Search

Search the entire web

Custom Search