Hits : 3287

Chroot SFTP only access

A simple tutorial on howto give a Chroot SFTP only access to a user

Contents

User/Group
sshd configuration file
Permissions
testing

User/Group

Create a user without shell access

# groupadd USERNAME
# useradd -g USERNAME USERGROUP
# usermod -s /sbin/nologin USERNAME

(of course all the above can be done with only one command).

Dont forget to give your new user a decent password

# passwd USERNAME
Changing password for user USERNAME.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

top

sshd configuration file

Edit sshd_config with your favorite editor

# vim /etc/ssh/sshd_config

and add the below lines:

AllowUsers USERNAME

Match user USERNAME
        ChrootDirectory /home/USERNAME/
        ForceCommand internal-sftp
        PasswordAuthentication yes

after that you have to restart the sshd daemon

/etc/init.d/sshd restart

top

Permissions

Be aware that the home directory must be owned by root

# chown -R root:USERGROUP /home/USERNAME/

top

testing

user@machine ~$ sftp USERNAME@server
Password: 
Connected to USERNAME.
sftp> cd /tmp/
Couldn't canonicalize: Permission denied
sftp>

or use FileZilla

top