How can I chroot sftp-only SSH users into their homes?


I want to give a client access to my server, but I want to limit those users to their home directories. I will bind-mount in any files I want them to be able to see.

I've created a user called bob and added him to a new group called sftponly. They have a home directory at /home/bob. I've changed their shell to /bin/false to stop SSH logins. Here is their /etc/passwd line:


I've also changed the /etc/ssh/sshd_config to include the following:

Match Group sftponly ChrootDirectory /home/%u ForceCommand internal-sftp AllowTcpForwarding no

When I try to log in as them, here's what I see

$ sftp bob@server bob@server's password: Write failed: Broken pipe Couldn't read packet: Connection reset by peer

If I comment out the ChrootDirectory line I can SFTP in but then they have free rein over the server. I have found that ChrootDirectory /home works, but it still gives them access to any home directory. I have...

0 0

If you want to setup an account on your system that will be used only to transfer files (and not to ssh to the system), you should setup SFTP Chroot Jail as explained in this article.

In a typical sftp scenario (when chroot sftp is not setup), if you use sftp, you can see root’s file as shown below.

If you want to give sftp access on your system to outside vendors to transfer files, you should not use standard sftp. Instead, you should setup Chroot SFTP Jail as explained below.

Non-Chroot SFTP Environment

In the following example (a typical sftp environment), john can sftp to the system, and view /etc folder and download the files from there.

# sftp john@thegeekstuff's password: sftp> pwd Remote working directory: /home/john sftp> ls projects john.txt documents sftp> cd /etc sftp> ls -l passwd -rw-r--r-- 0 0 0 3750 Dec 29 23:09 passwd sftp> get passwd Fetching /etc/passwd to passwd /etc/passwd 100% 3750 ...
0 0

There are some scenario where system admin wants only few users should be allowed to transfer files to Linux boxes but no ssh. We can achieve this by setting up SFTP in chroot environment.

Background of SFTP & chroot :

SFTP stands for SSH File Transfer protocol or Secure File Transfer Protocol. SFTP provides file access, file transfer, and file management functionalities over any reliable data stream. When we configure SFTP in chroot environment , then only allowed users will be limited to their home directory , or we can say allowed users will be in jail like environment where they can’t even change their directory.

In article we will configure Chroot SFTP in RHEL 6.X & CentOS 6.X. We have one user ‘Jack’ , this users will be allowed to transfer files on linux box but no ssh access.

Step:1 Create a group

[root@localhost ~]# groupadd sftp_users

Step:2 Assign the secondary group(sftp_users) to the user.

If the users doesn’t exist on...

0 0

In this tutorial, we will be discussing how to restrict SFTP users to their home directories or specific directories. It means the user can only access his/her respective home directory, not the entire file system.

Restricting users home directories is vital, especially in a shared server environment, so that an unauthorized user won’t sneak peek into the other user’s files and folders.

Important: Please also note that the purpose of this article is to provide SFTP access only, not SSH logins, by following this article will have the permissions to do file transfer, but not allowed to do a remote SSH session.

The simplest way to do this, is to create a chrooted jail environment for SFTP access. This method is same for all Unix/Linux operating systems. Using chrooted environment, we can restrict users either to their home directory or to a specific directory.

Restrict Users to Home Directories

In this section, we will create new group called...

0 0

OpenSSH 4.9+ includes a built-in chroot for sftp, but requires a few tweaks to the normal install.


This package is available in the core repository. To install it, run

# pacman -S openssh


First, we need to create the sftponly group

# groupadd sftponly

Following changes to the SSH daemon configure permissions for the sftponly group

/etc/ssh/sshd_config Match Group sftponly ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no PermitTunnel no X11Forwarding no

Or for a single user:

/etc/ssh/sshd_config Match User username ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no PermitTunnel no X11Forwarding no

Change chroot directory rights

The chroot directory must be owned by root.

# chown root:root /home/username

Add the 'sftponly group to each user with remote access rights

# gpasswd -a USER sftponly

With the standard path of...

0 0

The first error message ("Could not chdir...") is coming from ChrootDirectory in your sshd_config. From the documentation:


Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.

After attempting the chroot is when the problem occurs about not being able to find bash. This is related to not having the entire chroot environment setup (see the documentation for chroot(2)).

If you want the user's interactive environment to be chroot'd (not just sftp)you have a lot of work to do. Depending on your ultimate goal, you may want to simply use a restricted shell instead (check out bash(1) and vim(1) and search for "restricted" to find some ideas of how to set things up).

I found a couple of other references to similar...

0 0

With previous versions of OpenSSH, the only way to confine users to their home directories was with third-party hacks or elaborate chroot setups. The recently-released 4.9p1 release of OpenSSH, however, provides the ability to chroot users without the use of third-party add-ons; a welcome addition to this powerful tool.

As well, providing SFTP services that restricts users to their home directory is much simpler now.

To begin, ensure you have OpenSSH 4.9p1 or newer installed. Then edit /etc/ssh/sshd_config (/etc/sshd_config on some distributions) and set the following options:

Subsystem sftp internal-sftp Match Group sftp ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no

Ensure the "Match" directive is at the end of the file. This tells OpenSSH that all users in the sftp group are to be chrooted to their home directory (which %h represents in the ChrootDirectory command), forces the use of the internal-sftp helper, and disables TCP...

0 0

Restricting Users To SFTP Plus Setting Up Chrooted SSH/SFTP (Debian Squeeze)

Version 1.0
Author: Falko Timme
Follow me on Twitter

This tutorial describes how to give users chrooted SSH and/or chrooted SFTP access on Debian Squeeze. With this setup, you can give your users shell access without having to fear that they can see your whole system. Your users will be jailed in a specific directory which they will not be able to break out of. I will also show how to restrict users to SFTP so that they cannot use SSH (this part is independent from the chroot part of this tutorial).

I do not issue any guarantee that this will work for you!

1 Preliminary Note

I will use the user falko here with the home directory /home/falko. The user falko belongs to the group users. I want to chroot the user to the /home directory.

2 Installing OpenSSH

If OpenSSH is not already installed, install it as follows:


0 0
0 0

Here is a guide for setting up SFTP users who’s access is restricted to their home directory.

Add the following to the end of the /etc/ssh/sshd_config file:

Subsystem sftp internal-sftp # This section must be placed at the very end of sshd_config Match Group sftponly ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no

This means that all users in the ‘sftponly’ group will be chroot’d to their home directory, where they only will be able to run internal SFTP processes.

Now you can create the group sftponly by running the following command:

$ groupadd sftponly

Set a user’s group:

$ usermod steve -g sftponly

To deny SSH shell access, run the following command:

$ usermod steve -s /bin/false

And set the user’s home directory:

$ usermod steve -d /folder

Finally, you probably need to restart SSH

$ service ssh restart

The SSH part should now be in order, but you should make sure that file permissions also are...

0 0

Chrooting sftp users will allow you to 'hide' the parts of the file system that they do not need access to, or rather, to deny them access to everything and then select what you want them to be able to access. This has obvious security benefits if done correctly. wikipedia chroot.

After spending many hours trying (and failing) to get scponlyc to work on a 64bit system i found that openssh allows you to chroot users by adding just 4 lines into your sshd config file, creating a group for sftp only users and changing a few permissions.

Required packages: openSSH version 4.9 or greater (at the time of writing 5.1 is in use), so if your using Intrepid (8.10) or newer then you should be fine.

Parts one and two will only take a few minutes, the time required for part 3 is Dependant on how you want to set everything up.

Part one, editing your sshd config file:

1. Backup your sshd config file


sudo cp /etc/ssh/sshd_config...
0 0

If you want to replace the buggy and not-encrypted FTP protocol, and get rid of the FTP daemon on your system, the SFTP protocol comes to the rescue. Note that the SFTP protocol is something more than the SCP protocol (Secure copy), as it provides resuming interrupted transfers, directory listings, and remote file removal. This makes it more similar to the FTPS protocol (FTP over SSL) with the difference that it doesn’t require a separate FTP daemon, because the SSH daemon supports SFTP, which simplifies your network setup and lowers maintenance costs.

A standard security feature of the FTP servers is that logged in users are placed in a chroot jail directory, which restricts users from viewing and manipulating any other files but their own ones. Fortunately, the OpenSSH daemon supports chroot() too — see the sshd_config(5) man page.

Now that I’ve convinced you that SFTP is the right way to go for secure file transfers and remote file mounts, let’s see how we can...

0 0

Posted by niol on Tue 1 Apr 2008 at 10:49

The upcoming version of OpenSSH (4.8p1 for the GNU/Linux port) features a new configuration option : ChrootDirectory. This has been made possible by a new SFTP subsystem statically linked to sshd.

This makes it easy to replace a basic FTP service without the hassle of configuring encryption and/or bothering with FTP passive and active modes when operating through a NAT router. This is also simpler than packages such as rssh, scponly or other patches because it does not require setting up and maintaining (i.e. security updates) a chroot environment.

To enable it, you obviously need the new version 4.8p1. I personaly use the cvs version and the debian/ directory of the sid package to build a well integrated Debian package 4.8p1~cvs-1.

In /etc/ssh/sshd_config :

You need to configure OpenSSH to use its internal SFTP subsystem.

Subsystem sftp internal-sftp

Then, I configured chroot()ing in a match...

0 0

I spent the whole day trying to get a network share on my raspberry. I wanted to lock the user so that it would not be able to navigate through the whole file system, no ssh login access and I wanted to have write access to the network share.

First I created a user:

sudo useradd netdrive

Then edited /etc/passwd and made sure it has /bin/false for the user so the line was:

netdrive:x:1001:1004:Net Drive User,,,:/home/netdrive:/bin/false

I edited /etc/ssh/sshd_config to include:

Match User netdrive ChrootDirectory /home/netdrive ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no

Changed home directory owner and permissions:

sudo chown root:root /home/netdrive/ sudo chmod 755 /home/netdrive/

Ok so after all this I was able to connect using sshfs but in read only mode. What I had to do to get a writable folder:

sudo mkdir -p /home/netdrive/home/netdrive/ sudo chown netdrive:netdrive /home/netdrive/home/netdrive/ sudo chmod 755...
0 0

That article also describes how to get a chrooted shell access, but since you just want a sftp-only account, just follow these instructions:

Edit /etc/ssh/sshd_config and add the lines:

SubSystem sftp internal-sftp Match Group sftp ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no

Find the line UsePAM yes and comment it:

#UsePAM yes

Without disabling this, my SSH server would crash on reloading/ restarting. Since I do not need fancy functions of PAM, this is fine.

For extra security, restrict the users who can login. If you forget to add SFTP users to the sftp group, you give them free shell access. Not a nice scenario. Because SSH cannot combine AllowUsers and AllowGroups (a login has to fulfill both rules), you've to create an additional group, say ssh-users. Add the users who are allowed to login (youruser below) over SSH:

sudo groupadd ssh-users sudo gpasswd -a youruser ssh-users

And add the next line to...

0 0

I started from the following article to set up SFTP on Ubuntu Server: If I follow these instructions, I can connect with SFTP, but I am no longer able to connect to SSH from a terminal:

This service allows sftp connections only. Connection to closed.

Here are the changes I made to sshd_config:

Subsystem sftp internal-sftp -f AUTH -1 VERBOSE AllowGroups sftpusers sftp sshusers Match Group sftpusers ChrootDirectory %h AllowTCPForwarding yes ForceCommand internal-sftp X11Forwarding no

The user in question, jcoulson, is in both sftpusers and sshusers groups.

Any hints? Any further info you need?...

0 0

I am attempting to setup an SSHFTP server, and upon connecting via apache@localhost, I am immediately disconnected with a "Write Failed: Broken Pipe" error message. I can connect fine with jack@localhost, but not the user apache.

These are the only settings I added to sshd_config (I want to only allow apache when I get it working):

Match User apache ChrootDirectory /apache AllowTCPForwarding no X11Forwarding no ForceCommand /usr/lib/openssh/sftp-server Match #AllowUsers apache

And this is what I added to ssh_config:

ServerAliveInterval 120 TCPKeepAlive no

I made sure the user apache had full permissions on the /apache folder, and I can login as this user fine and modify items in Terminal. The folder only has 2 files: index.html and test.php

I also went to another computer on the network, and used FileZilla to login as the user jack. It worked just fine.

This is the log of the Terminal when I try to connect.

jack@JacksServer:~$ ssh -v...
0 0
0 0