SFTP Chroot Jail on Ubuntu
10 Oct 2012This shows you how to let a user transfer files via sftp while blocking their access via ssh into the system. This is particularly useful if you are hosting multiple sites and want to give specific clients/users access to files only inside their site directory.
Create an sftp group
sudo groupadd sftp
Create a user
Assign a custom home directory for the new user we are going to add. In this case, their site directory: /srv/www/jondoesite.com/
sudo useradd -d /srv/www/johndoesite.com/ jdoe
Set their password
sudo passwd jdoe
Change the userโs primary group to the one we just created
sudo usermod -g sftp jdoe
Set their shell to /bin/false
sudo usermod -s /bin/false jdoe
Set Permissions
This will recursively make jdoe the owner of all files/folders in jondoesite.com/
chown jdoe:sftp -R johndoesite.com
But this next command will make sure root is still the owner of the parent directory (jondoesite.com). Also make sure all the folders above jondoesite.com are owned by root (in this case /srv/www/). This is necessary in order for jailing to work correctly.
chown root:root johndoesite.com
Configuring OpenSSH
sudo nano /etc/ssh/sshd_config
Scroll to bottom and add this while commenting out any other variations of these commands in their place:
Subsystem sftp internal-sftp Match group sftp ChrootDirectory %h X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
Restart ssh
service sshd restart
Test
If everything worked as expected, this should work
sftp [email protected]
But this should not
ssh [email protected]