How To Setup Chrooted SFTP In Linux

This guide explains how to setup Chrooted SFTP in Linux in order to restrict SSH user access to home directory or any particular directory. To put this in other words, we are going to force the users to a specific directory and set their shell to /bin/nologin or some other shell that denies access to a ssh login. Once the chrooted SFTP is configured, the users can only access their assigned home directory, but not the entire filesystem

Enabling chrooted SFTP access offers the following benefits:

• Allow the users to connect through only SFTP, but not allow them to connect through SSH.
• Restrict a SSH user session to their home directory or a specific directory of your choice.
• Restrict SSH access to certain users and still allow them to transfer files between local and remote systems.
• Deny user access to the entire file system.

Now, let us go ahead and setup Chrooted SFTP to limit the SSH users to Home directory and/or any other directory with Chrooted jail in Linux.

This guide is officially tested on Debian 11 bullseye, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS distributions. However, the steps given below should work on any Linux distributions that supports openSSH.

Setup Chrooted SFTP in Linux

Starting from version 4.9, openSSH has a feature known as internal-sftp subsystem which allows only SFTP access, but not SSH access. So, the users can be able to access only the data from the server, but they can't access it using SSH.

Create Chrooted directory

First, Create a chrooted directory using command:

$ sudo mkdir /sftp

Make this directory fully owned by root user using command:

$ sudo chown root:root /sftp/

Under this directory, create separate directories for each user, like /sftp/user1, /sftp/user2, and /sftp/user3 and so on.

For the purpose of this guide, I am going to create a directory called ostechnix under /sftp directory.

$ sudo mkdir /sftp/ostechnix

This is the directory where the users can save the data. Also, the users can't go beyond this directory. It's just like their $HOME directory.

Create sftp group and assign users to that group

Now, we need to create the users to be able to access SFTP chrooted directory.

Create a group called sftponly as shown in the following command:

$ sudo groupadd sftponly

Then, create new SFTP users or assign existing users to the "sftponly" group as shown below.

Let me create a new user, for example senthil, and assign him to the "sftponly" group. And then, setup his home directory as /sftp/ostechnix and the default shell as /sbin/nologin.

We can do this using the following online command:

$ sudo useradd -g sftponly -d /ostechnix -s /sbin/nologin senthil

Set password for the newly-created user using command:

$ sudo passwd senthil

To modify the existing user, use "usermod" instead of "useradd" command like below:

$ sudo usermod -g sftponly -d /ostechnix -s /sbin/nologin senthil

Assign proper permissions to the chrooted directory

You need to assign proper permissions to the SFTP users to access their HOME directory like below.

$ sudo chown senthil:sftponly /sftp/ostechnix

$ sudo chmod 700 /sftp/ostechnix/

The other SFTP users can't access this directory.

Similarly, assign appropriate permissions to all other SFTP users as well.

Recommended Download - Free eBook: "Learn Linux in 5 Days"

Configure Chrooted SFTP

Edit /etc/ssh/sshd_config file:

$ sudo vi /etc/ssh/sshd_config

Find and comment out the following lines (i.e. add asterisk # in-front of it to comment out).

#Subsystem       sftp    /usr/libexec/openssh/sftp-server

In some distributions, for example Ubuntu 18.04 LTS, find and comment the following line:

#Subsystem sftp /usr/lib/openssh/sftp-server

Next, add the following lines at the end of the file:

Subsystem       sftp    internal-sftp
Match group sftponly
     ChrootDirectory /sftp/
     X11Forwarding no
     AllowTcpForwarding no
     ForceCommand internal-sftp

Configure chrooted SFTP

If you want to restrict users to $HOME directory, just replace /sftp with /home in the above code. Make sure you've specified the correct path of sftp directory. Press ESC and type :wq to save the file and exit.

Restart ssh service to update the changes.

$ sudo systemctl restart sshd

Now, try to SSH to this system from any other systems on the network using the sftp user (i.e senthil in our case).

$ ssh senthil@192.168.122.181

You will get the following error message.

senthil@192.168.122.181's password: 
This service allows sftp connections only.
Connection to 192.168.122.181 closed.

Here, 192.168.122.181 is my remote Debian system's IP address where I configured SFTP.

You can only access the remote system using sftp as shown below.

$ sftp senthil@192.168.122.181
senthil@192.168.43.2's password: 
Connected to 192.168.43.2.
sftp>

See? The user "senthil" can able to connect via sftp, but not via ssh.

To know the current working directory, use 'pwd' command:

sftp> pwd
Remote working directory: /ostechnix
sftp>

Setup chrooted SFTP in Linux

Basic SFTP commands

We can connect using an alternate port using -p flag.

$ sftp -P <port_number> remote_user@remote_host

To transfer remote file to the local system, do:

sftp> get /path/remote_file

We can transfer local file to the remote system using command:

sftp> put /path/local_file

To transfer remote folder to the local system recursively:

sftp> get -R /path/remote_folder

To display the list of files on local machine:

sftp> lls

To display the list of files on remote machine:

sftp> ls

For more details about sftp usage, refer man pages.

$ man sftp

Conclusion

In this guide, we have discussed how to configure and setup chrooted SFTP in Linux operating systems such as Debian and Ubuntu.

Suggested read:

• How to Change FTP Default Port To A Custom Port
• Install VSFTPD server in Ubuntu
• Secure VSFTPD server with TLS/SSL encryption in Ubuntu
• Setup FTP Server step by step in CentOS
• FTP_Manager : A Simple Script To Install And Manage FTP Server In CentOS