Restrict SFTP users to their home directory (chroot) with the Match keyword

You need OpenSSH 4.3p2+ to achieve this.

Add the following lines to the very bottom of your /etc/ssh/sshd_config file:

# use internal-sftp for sftp only users
Subsystem sftp internal-sftp

# users in the sftpuser group
Match Group sftpuser
    # chroot them into their home dir (%h)
    ChrootDirectory %h
    # use the internal-sftp subsystem
    ForceCommand internal-sftp
    # preventing TCP forwarding
    AllowTcpForwarding no

When this has been done, go and restart ssh:

$ /etc/init.d/ssh restart

To make this work for one of your existing users, go and start with creating the group which we specified in the Match configuration in sshd_config:

$ groupadd sftpuser

Now add one of your users to be a part of the group:

$ usermod -a -G sftpuser username

Go to your /etc/passwd file to set home directory and shell:

username:x:6002:6003::/home/dir/goes/here:/bin/false

Here is set my home directory to /home/dir/goes/here, which it will be jailed to. Then i set the login shell to /bin/false, so the user will be unable to login with ssh (only sftp).

The ownership should be root as user, and sftpuser as group (root:sftpuser). The directories should be chmod 755. If you do not set these you can get errors, because SSH checks up on it when you are using the Match and ChrootDirectory configuration (Possible error: fatal: bad ownership or modes for chroot directory "/home/dir/goes/here"):

$ find /home/ type -d -exec chown root:sftpuser {} \;
$ find /home/ type -d -exec chmod 755 {} \;

Remember that it is not possible to write directly in the chrooted dir (home dir) of SSH security reasons, due to the 755 (group can not write), and the root user ownership. Therefore create a dir inside your home dir called files/ ($ mkdir files), and assign permissions to the dir, so the specific user is able to write (chown -R username:username ./files/).

comments powered by Disqus