How to use SFTP with a chroot jail
Posted: Mon Mar 20, 2023 12:17 pm
Creating a new group
The first thing to do is to create a new group for SFTP users. Open a terminal window and issue the command:
Adding and modifying users
Next, we need to add users to this new group. If you need to create a new users (and add them to the group), this can be done with the useradd command like so:
Where USERNAME is the name of the user to be added.
The above command will ensure the user is unable to log in via SSH, as it assigns /bin/false as the user’s shell. Once you add a new user, make sure to set a password with the command:
Where USERNAME is the name of the user just added.
If you already have users you want to add to the group, you can do so with the command:
Where USERNAME is the user to be added and their shell will be changed. Do note, however, if the user does require SSH login, they won’t be able to do this once you make that change. If that’s the case, consider creating a new user specifically for their SFTP needs.
The user’s home directory permissions must now be changed. To do this, issue the following commands:
With the user’s directories now owned by root, they won’t be able to create files and/or directories. To get around that (so they can upload and download files), create new subdirectories (within their home directory) that they will have access to with the following commands:
Note: You can name the ftp_up and ftp_down anything you like.
Configuring SSH
Now we need to configure SSH. Issue the command:
In that file, look for the line:
Change that line to:
Scroll to the bottom of the file and add the following:
Save and close the file. Restart the SSH daemon with the command:
Testing
Now we can actually test our new setup. Log in with one of the newly created users (or an existing user) with the command:
The first thing to do is to create a new group for SFTP users. Open a terminal window and issue the command:
Code: Select all
sudo groupadd sftponlyNext, we need to add users to this new group. If you need to create a new users (and add them to the group), this can be done with the useradd command like so:
Code: Select all
sudo useradd -g sftponly -s /bin/false -m -d /home/USERNAME USERNAMEThe above command will ensure the user is unable to log in via SSH, as it assigns /bin/false as the user’s shell. Once you add a new user, make sure to set a password with the command:
Code: Select all
sudo passwd USERNAMEIf you already have users you want to add to the group, you can do so with the command:
Code: Select all
sudo usermod -G sftponly -s /bin/false USERNAMEThe user’s home directory permissions must now be changed. To do this, issue the following commands:
Code: Select all
sudo chown root: /home/USERNAME
sudo chmod 755 /home/USERNAMECode: Select all
sudo mkdir /home/USERNAME/{ftp_up,ftp_down}
sudo chmod 755 /home/USERNAME/{ftp_up,ftp_down}
sudo chown USERNAME:sftponly /home/USERNAME/{ftp_up,ftp_down}Configuring SSH
Now we need to configure SSH. Issue the command:
Code: Select all
sudo nano /etc/ssh/sshd_configCode: Select all
Subsystem sftp /usr/lib/openssh/sftp-serverCode: Select all
Subsystem sftp internal-sftpCode: Select all
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding noCode: Select all
sudo systemctl restart sshdNow we can actually test our new setup. Log in with one of the newly created users (or an existing user) with the command:
Code: Select all
sftp USERNAME@SERVER_IP