SFTP Chroot Jail on Ubuntu

This shows you how to let a user transfer files via sftp while blocking their access via ssh into the system. This is particularly useful if you are hosting multiple sites and want to give specific clients/users access to files only inside their site directory.

Create an sftp group

sudo groupadd sftp

Create a user

Assign a custom home directory for the new user we are going to add. In this case, their site directory: /srv/www/jondoesite.com/

sudo useradd -d /srv/www/johndoesite.com/ jdoe

Set their password

sudo passwd jdoe

Change the user’s primary group to the one we just created

sudo usermod -g sftp jdoe

Set their shell to /bin/false

sudo usermod -s /bin/false jdoe

Set Permissions

This will recursively make jdoe the owner of all files/folders in jondoesite.com/

chown jdoe:sftp -R johndoesite.com

But this next command will make sure root is still the owner of the parent directory (jondoesite.com). Also make sure all the folders above jondoesite.com are owned by root (in this case /srv/www/). This is necessary in order for jailing to work correctly.

chown root:root johndoesite.com

Configuring OpenSSH

sudo nano /etc/ssh/sshd_config

Scroll to bottom and add this while commenting out any other variations of these commands in their place:

Subsystem sftp internal-sftp
Match group sftp
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Restart ssh

service sshd restart

Test

If everything worked as expected, this should work

sftp [email protected]

But this should not

ssh [email protected]
If you have any questions or comments, please post them below. If you liked this post, you can share it with your followers or follow me on Twitter!