Derek Neely

...notes for thyself, but useful for all...

SFTP Server Setup with Chroot

Nov 04, 2016 by derek


I've had to setup a few SFTP servers as of late with "jailed" or chroot'ed users. All in all this is pretty straight forward but there is one thing I always forget I do at the end to make it 'cleaner' for users when they login.



Create the root sftp directory for our users to be jailed too.

# mkdir /sftp

Setup the group the sftp users will be in.

# groupadd sftpgroup

Create an sftp user, set their primary group as 'sftponly' , and set their password.

# useradd -g sftpgroup -d /sftp/sftpuser -m -s /sbin/nologin sftpuser
# passwd sftpuser

Setup the sftp subsystem of the ssh daemon. Comment out 'sftp-server' and add in internal-sftp

# vi /etc/ssh/sshd_config

#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

At the bottom of the sshd_config add the following for the group's chroot directory.

Match Group sftpgroup
        ChrootDirectory /sftp
        ForceCommand internal-sftp

Now you can restart the ssh daemon to enable the new configs

# service sshd restart

Now the one little extra bit I like to do is to not only have them chroot'ed but also make the user's home/root directory writeable by them and keep them out of the real root and jump into other directories.

So we lock the user out of being able to read the root directory and then 'fake' the user's home directory path back to itself. 

# chmod 711 /sftp
# cd sftp
# ln -s . sftp

What this does is trick the system into what their home directory is. The configuration we put into the sshd_config tells the system when the user logs in that their / is /sftp/ so then the system tries to put the user in their home directory /sftp/sftpuser. However, without creating a soft link back to itself that path does not exist. So the link makes this possible and the user can write to their directory.


Linux, SSH


Tweet Tweet Tweet

© 2016 Derek Neely