Secure File Transfer Protocol/SSH File Transfer Protocol (SFTP) is a common method used to transfer files securely.  Configuring SFTP server with chroot ensures to generate a Jail like environment where users cannot access any folders beyond their home directory.

As a part of our Server Management Services, we help our Customers to fix SFTP related errors regularly.

Let us today discuss the on how to configure SFTP server with chroot.

Create a Group for sftp using groupadd command

First step here is to create a group for SFTP. Open the terminal, create a group with a name “sftp_users” using below groupadd command:

root@server:~# groupadd sftp_users

Add Users to Group ‘sftp_users’ and set permissions

To create new user and want to add that user to ‘sftp_users’ group, then run the following command:

# useradd -m -G sftp_users <user_name>

Replace user_name in the command with the exact username. Set the password using following chpasswd command:

root@server:~# echo "user_name:<enter_password>" | chpasswd

To add existing users to ‘sftp_users’ group, then run beneath usermod command. Let us suppose already existing user name is ‘user1’.

root@server:~# usermod -G sftp_users user1

Now set the required permissions on Users.

root@server:~# chown root /home/user_name /home/user1/

Create an upload folder in both the user’s home directory and set the correct ownership:

mkdir /home/user_name/upload
mkdir /home/user1/upload
chown user_name /home/user_name/upload
chown user1 /home/user1/upload

Edit sftp configuration file

Sftp configuration file is  at “/etc/ssh/sshd_config“. Before making any changes, first take the backup with cp command. Then edit this file to add the following content:

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Match Group sftp_users
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp

Save and exit the file.

To make above changes into the affect, restart ssh service using following systemctl command:

root@server:~# systemctl restart sshd

In above ‘sshd_config’ file we have commented out the line which starts with “Subsystem” and added new entry “Subsystem sftp internal-sftp” and new lines like,

• “Match Group sftp_users” – It means if a user is a part of ‘sftp_users’ group then apply rules which are mentioned below to this entry.
• “ChrootDierctory %h” – It means users can only change directories within their respective home directories. They cannot access any other user’s and system’s directories.
• “ForceCommand internal-sftp” – It means users are limited to sftp command only.

Test and Verify sftp

Login to any other Linux system which is on the same network of the sftp server and then try to ssh sftp server via the users that we have mapped in ‘sftp_users’ group.

We will most probably receive an message that “Write failed: Broken pipe”. It confirms that users are not allowed to SSH. Now if we try sftp using following command, we receive an output that we have connected to the server.

[root@web-server ~]# sftp user_name@IP_address

We can use the ‘get’ command to download a file. Also when we try to navigate to directories outside of the users’s home directory, it shows a message “Couldn’t stat remote file: No such file or directory”.

Similarly, we can use the ‘put’ command to upload files to the server.

[Need any further assistance to Configure SFTP Server with Chroot? – We’re available 24*7]

Conclusion

In short,configuring SFTP server with chroot ensures to generate a Jail like environment where users cannot access any folders beyond their home directory. Today, we saw how our Support Engineers configure SFTP server with chroot.