Setup Chroot SFTP in Linux (Allow Only SFTP, Not SSH)
How to Setup chroot SFTP in Linux environment
Setup an account on system that will be used only to transfer files (and not to ssh to the system)
First you need to Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.
[email protected] [~]# groupadd sftpusers
Now, you want to create an user who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform Shell Access(SSH).
The following command creates user e.g demo, assigns this user to sftpusers group, make /home/demo as the home directory, set /sbin/nologin as shell (which will not allow the user to ssh and get shell access).
[email protected] [~]# useradd -g sftpusers -d /home/demo -s /sbin/nologin demo [email protected] [~]# passwd demo
If you want to modify an existing user and make him an sftp user only and put him in the chroot sftp jail, do the following:
[email protected] [~]# usermod -g sftpusers -d / -s /sbin/nologin demo
Setup sftp-server Subsystem in sshd_config
At this point, you should instruct sshd to use the internal-sftp for sftp (instead of the default sftp-server).
So, you need to Modify the the /etc/ssh/sshd_config file and comment out the line and add the new line to the /etc/ssh/sshd_config file as below.
#Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp
Specify Chroot Directory for a Group by editing the /etc/ssh/sshd_config file.
Match Group sftpusers ChrootDirectory /home/%u ForceCommand internal-sftp
Under the directory /home/demo, create any subdirectory that you like user to see. For example, create a public directory where users can sftp their files.
[email protected] [~]# mkdir /home/demo/public
For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory for every user.
Set the owenership to the user, and group to the sftpusers group as shown below.
[email protected] [~]# chown demo:sftpusers /home/demo/public
Make sure that, the permission will look like the following for the /home/demo directory.
[email protected] [~]# ls -ld /home/demo drwxr-xr-x 3 root root 4096 Dec 1 23:49 /home/demo [email protected] [~]# ls -ld /home drwxr-xr-x 3 root root 4096 Dec 1 23:49 /home
At last you need restart the ssh and test you sftp user.