How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)

May 25, 2016 by Linux Guru

Filed under Linux, Security

Last modified June 14, 2016

If you want to setup an account on your system that will be used only to transfer files (and not to ssh to the system), you should setup SFTP Chroot Jail.

1. Create a New Group

Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.

# groupadd sftpusers

2. Create Users (or Modify Existing User)

Let us say you want to create an user skp28omr who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH.

The following command creates skp28omr, assigns this user to sftpusers group, make /Fromtmp as the home directory, set /sbin/nologin as shell (which will not allow the user to ssh and get shell access).

# useradd -g sftpusers -d /Fromtmp -s /sbin/nologin user29omr
# passwd user29omr

Verify that the user got created properly.

# grep user29omr /etc/passwd
skp28omr:x:500:500::/Fromtmp:/sbin/nologin

If you want to modify an existing user and make him an sftp user only and put him in the chroot sftp jail, do the following:

# usermod -g sftpusers -d /Fromtmp -s /sbin/nologin user29omr

3. Setup sftp-server Subsystem in sshd_config

You should instruct sshd to use the internal-sftp for sftp (instead of the default sftp-server).

Modify the the /etc/ssh/sshd_config file and comment out the following line:

#Subsystem       sftp    /usr/libexec/openssh/sftp-server

Next, add the following line to the /etc/ssh/sshd_config file

Subsystem       sftp    internal-sftp
# grep sftp /etc/ssh/sshd_config
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp

4. Specify Chroot Directory for a Group

You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config

# tail /etc/ssh/sshd_config
Match Group sftpusers
        ChrootDirectory /opt/sftp/%u
        ForceCommand internal-sftp

5. Create sftp Home Directory

Since we’ve specified /sftp as ChrootDirectory above, create this directory (which iw equivalent of your typical /home directory).

# mkdir -p /opt/sftp/user29omr/Fromtmp

Now, under /opt/sftp, create the individual directories for the users who are part of the sftpusers group. i.e the users who will be allowed only to perform sftp and will be in chroot environment.

So, /opt/sftp/user29omr is equivalent to / for the user29omr. When user29omr sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/opt/sftp/user29omr” (and not the real / of the system). This is the power of the chroot.
6. Setup Appropriate Permission

Set the owenership to the user, and group to the sftpusers group as shown below.

# chown user29omr:sftpusers /opt/sftp/user29omr/Fromtmp

The permission will look like the following for the incoming directory.

# ls -ld /opt/sftp/user29omr/Fromtmp
drwxr-xr-x 2 user28omr sftpusers 4096 Dec 28 23:49 /opt/sftp/user29omr/Fromtmp

The permission will look like the following for the /opt/sftp/user29omr directory

# ls -ld /opt/sftp/user29omr
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /opt/sftp/user29omr

# ls -ld /opt/sftp
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /opt/sftp

7. Restart sshd and Test Chroot SFTP

for ec2 sftp  #vi /etc/ssh/sshd_config

#PasswordAuthentication no

to
PasswordAuthentication yes

Restart sshd:

# service sshd restart

Leave a Comment