Hits : 3499

Chroot SFTP only access


A simple tutorial on howto give a Chroot SFTP only access to a user

Contents


User/Group


Create a user without shell access

# groupadd USERNAME
# useradd -g USERNAME USERGROUP
# usermod -s /sbin/nologin USERNAME


(of course all the above can be done with only one command).


Dont forget to give your new user a decent password

# passwd USERNAME
Changing password for user USERNAME.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.


top

sshd configuration file


Edit sshd_config with your favorite editor

# vim /etc/ssh/sshd_config


and add the below lines:

AllowUsers USERNAME

Match user USERNAME
        ChrootDirectory /home/USERNAME/
        ForceCommand internal-sftp
        PasswordAuthentication yes


after that you have to restart the sshd daemon

/etc/init.d/sshd restart


top

Permissions


Be aware that the home directory must be owned by root

# chown -R root:USERGROUP /home/USERNAME/


top


testing


user@machine ~$ sftp USERNAME@server
Password: 
Connected to USERNAME.
sftp> cd /tmp/
Couldn't canonicalize: Permission denied
sftp>


or use FileZilla[link1]

top




Links
[link1] https://filezilla-project.org/