Restricting SFTP users with chrooted access

The scope of this post decribes how to give users chrooted SFTP access to your system. In a nutshell your users will be tied-down in a specific directory which they will not be able to move out from, thus preventing then from seeing you entire system.

Whilst this works happily in my lab environment, I do not issue any guarantee that this will work for you!

Enabling SFTP is very easy to do, simply open /etc/ssh/sshd_config...

# vi /etc/ssh/ssh_config


Subsystem sftp


Subsystem sftp internal-sftp

Then at the end of the configuration file, add the following lines for each user you want to chroot:

For a given user, use:

Match User mchurchi
    ChrootDirectory /home
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Instead of adding a entry for each user, you can also chroot groups, for example:

For a given group, use:

Match Group sftp-only
   ChrootDirectory /home
   AllowTCPForwarding no
   X11Forwarding no
   ForceCommand internal-sftp

This would chroot all members of the sftp-only group to the /home directorey

NOTE: Don't forget to add the individiual isers to the sftp-only group in /etc/group


If you chroot multiple users to the same directory, but don't want users to browse the home directories of the other users, you can change the permissions of each home directory, for example:

chmod 0700 /home/mchurchi

Restart SSH

/etc/init.d/ssh restart

Afterwards you users can log in with there favourite SFTP client

NOTE: At this point the users/groups that we have specified in /etc/ssh/sshd_config will only have SFTP access. SSH will not work for these users because an SSH chroot environment needs additional files to work (and because we use ForceCommand internal-sftp). See my other post on restricting ssh users with chrooted access