Configure SFTP with Chroot Jail
Table of Contents
Setting up a chroot jail for SFTP (Secure File Transfer Protocol) on a Debian server enhances security by restricting users’ access to a specific directory. This is particularly useful for granting limited file transfer capabilities without providing full shell access.
Requirements #
openssh-server #
Ensure that the SSH server is installed:
apt install openssh-server
Creating User and Group #
Create a group for chroot-restricted users:
groupadd sftponly
Add a user to this group and set their home directory:
useradd -m -g sftponly -s /bin/false username
passwd username
Ensure the user’s home directory is owned by root:
chown root:root /home/username
Create a subdirectory for user files, with appropriate permissions:
mkdir /home/username/files
chown username:sftponly /home/username/files
Installing and Configuring SSH #
Then, edit the SSH configuration file:
nano /etc/ssh/sshd_config
Configuring Chroot Environment #
Restrict to user #
In the sshd_config file, locate or add the following lines to set up a chroot environment:
Subsystem sftp internal-sftp
Match User username
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Replace /home/%u with your desired chroot directory and username with the name of the restricted user.
Restrict to group #
In the sshd_config file, locate or add the following lines to set up a chroot environment:
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Replace /home/%u with your desired chroot directory and sftponly with the group name for restricted users.
Restarting SSH #
Apply changes by restarting the SSH service:
systemctl restart sshd
Testing the Configuration #
Test your setup by connecting through an SFTP client using the newly created user credentials. The user should only access the specified directory.