How To Setup Chrooted SFTP In Linux

Get real time updates directly on you device, subscribe now.

This information explains tips on how to setup Chrooted SFTP in Linux so as to limit SSH person entry to house listing or any specific listing. To place this in different phrases, we’re going to drive the customers to a particular listing and set their shell to /bin/nologin or another shell that denies entry to a ssh login. As soon as the chrooted SFTP is configured, the customers can solely entry their assigned house listing, however not all the filesystem

Enabling chrooted SFTP entry provides the next advantages:

Permit the customers to attach via solely SFTP, however not permit them to attach via SSH. Limit a SSH person session to their house listing or a particular listing of your alternative. Limit SSH entry to sure customers and nonetheless permit them to switch information between native and distant techniques. Deny person entry to all the file system.

Now, allow us to go forward and setup Chrooted SFTP to restrict the SSH customers to Residence listing and/or every other listing with Chrooted jail in Linux.

This information is formally examined on Debian 11 bullseye, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS distributions. Nonetheless, the steps given beneath ought to work on any Linux distributions that helps openSSH.

Setup Chrooted SFTP in Linux

Ranging from model 4.9, openSSH has a function often known as internal-sftp subsystem which permits solely SFTP entry, however not SSH entry. So, the customers can have the ability to entry solely the info from the server, however they cannot entry it utilizing SSH.

Create Chrooted listing

First, Create a chrooted listing utilizing command:

$ sudo mkdir /sftp

Make this listing absolutely owned by root person utilizing command:

$ sudo chown root:root /sftp/

Below this listing, create separate directories for every person, like /sftp/user1/sftp/user2, and /sftp/user3 and so forth.

For the aim of this information, I’m going to create a listing referred to as ostechnix below /sftp listing.

$ sudo mkdir /sftp/ostechnix

That is the listing the place the customers can save the info. Additionally, the customers cannot transcend this listing. It is similar to their $HOME listing.

Create sftp group and assign customers to that group

Now, we have to create the customers to have the ability to entry SFTP chrooted listing.

Create a gaggle referred to as sftponly as proven within the following command:

$ sudo groupadd sftponly

Then, create new SFTP customers or assign current customers to the “sftponly” group as proven beneath.

Let me create a brand new person, for instance senthil, and assign him to the “sftponly” group. After which, setup his house listing as /sftp/ostechnix and the default shell as /sbin/nologin.

We will do that utilizing the next on-line command:

$ sudo useradd -g sftponly -d /ostechnix -s /sbin/nologin senthil

Set password for the newly-created person utilizing command:

$ sudo passwd senthil

To change the present person, use “usermod” as an alternative of “useradd” command like beneath:

$ sudo usermod -g sftponly -d /ostechnix -s /sbin/nologin senthil

Assign correct permissions to the chrooted listing

It’s essential assign correct permissions to the SFTP customers to entry their HOME listing like beneath.

$ sudo chown senthil:sftponly /sftp/ostechnix $ sudo chmod 700 /sftp/ostechnix/

The opposite SFTP customers cannot entry this listing.

Equally, assign acceptable permissions to all different SFTP customers as properly.

Really helpful Obtain – Free eBook: “Study Linux in 5 Days”

Configure Chrooted SFTP

Edit /and many others/ssh/sshd_config file:

$ sudo vi /and many others/ssh/sshd_config

Discover and remark out the next strains (i.e. add asterisk # in-front of it to remark out).

#Subsystem sftp /usr/libexec/openssh/sftp-server

In some distributions, for instance Ubuntu 18.04 LTS, discover and remark the next line:

#Subsystem sftp /usr/lib/openssh/sftp-server

Subsequent, add the next strains on the finish of the file:

Subsystem sftp internal-sftp
Match group sftponly
ChrootDirectory /sftp/
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Configure chrooted SFTP

Configure chrooted SFTP

If you wish to limit customers to $HOME listing, simply change /sftp with /house within the above code. Be sure you’ve specified the proper path of sftp listing. Press ESC and kind :wq to avoid wasting the file and exit.

Restart ssh service to replace the modifications.

$ sudo systemctl restart sshd

Now, attempt to SSH to this method from every other techniques on the community utilizing the sftp person (i.e senthil in our case).

$ ssh [email protected]

You’ll get the next error message.

[email protected]’s password:
This service permits sftp connections solely.
Connection to closed.

Right here, is my distant Debian system’s IP handle the place I configured SFTP.

You’ll be able to solely entry the distant system utilizing sftp as proven beneath.

$ sftp [email protected]
[email protected]’s password:
Linked to

See? The person “senthil” can in a position to join through sftp, however not through ssh.

To know the present working listing, use ‘pwd’ command:

sftp> pwd
Distant working listing: /ostechnix

Setup chrooted SFTP in Linux

Setup chrooted SFTP in Linux

Primary SFTP instructions

We will join utilizing an alternate port utilizing -p flag.

$ sftp -P [email protected]_host

To switch distant file to the native system, do:

sftp> get /path/remote_file

We will switch native file to the distant system utilizing command:

sftp> put /path/local_file

To switch distant folder to the native system recursively:

sftp> get -R /path/remote_folder

To show the checklist of information on native machine:

sftp> lls

To show the checklist of information on distant machine:

sftp> ls

For extra particulars about sftp utilization, refer man pages.

$ man sftp


On this information, we’ve mentioned tips on how to configure and setup chrooted SFTP in Linux working techniques comparable to Debian and Ubuntu.

Prompt learn:

Comments are closed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More