Secure File Transfer Protocol/SSH File Transfer Protocol (SFTP) is a common method used to transfer files securely. Configuring SFTP server with chroot ensures to generate a Jail like environment where users cannot access any folders beyond their home directory.
As a part of our Server Management Services, we help our Customers to fix SFTP related errors regularly.
Let us today discuss the on how to configure SFTP server with chroot.
Create a Group for sftp using groupadd command
First step here is to create a group for SFTP. Open the terminal, create a group with a name “sftp_users” using below groupadd command:
root@server:~# groupadd sftp_users
Add Users to Group ‘sftp_users’ and set permissions
To create new user and want to add that user to ‘sftp_users’ group, then run the following command:
# useradd -m -G sftp_users <user_name>
Replace user_name in the command with the exact username. Set the password using following chpasswd command:
root@server:~# echo "user_name:<enter_password>" | chpasswd
To add existing users to ‘sftp_users’ group, then run beneath usermod command. Let us suppose already existing user name is ‘user1’.
root@server:~# usermod -G sftp_users user1
Now set the required permissions on Users.
root@server:~# chown root /home/user_name /home/user1/
Create an upload folder in both the user’s home directory and set the correct ownership:
mkdir /home/user_name/upload
mkdir /home/user1/upload
chown user_name /home/user_name/upload
chown user1 /home/user1/upload
Edit sftp configuration file
Sftp configuration file is at “/etc/ssh/sshd_config“. Before making any changes, first take the backup with cp command. Then edit this file to add the following content:
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftp_users
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp
Save and exit the file.
To make above changes into the affect, restart ssh service using following systemctl command:
root@server:~# systemctl restart sshd
In above ‘sshd_config’ file we have commented out the line which starts with “Subsystem” and added new entry “Subsystem sftp internal-sftp” and new lines like,
- “Match Group sftp_users” – It means if a user is a part of ‘sftp_users’ group then apply rules which are mentioned below to this entry.
- “ChrootDierctory %h” – It means users can only change directories within their respective home directories. They cannot access any other user’s and system’s directories.
- “ForceCommand internal-sftp” – It means users are limited to sftp command only.
Test and Verify sftp
Login to any other Linux system which is on the same network of the sftp server and then try to ssh sftp server via the users that we have mapped in ‘sftp_users’ group.
We will most probably receive an message that “Write failed: Broken pipe”. It confirms that users are not allowed to SSH. Now if we try sftp using following command, we receive an output that we have connected to the server.
[root@web-server ~]# sftp user_name@IP_address
We can use the ‘get’ command to download a file. Also when we try to navigate to directories outside of the users’s home directory, it shows a message “Couldn’t stat remote file: No such file or directory”.
Similarly, we can use the ‘put’ command to upload files to the server.
[Need any further assistance to Configure SFTP Server with Chroot? – We’re available 24*7]
Conclusion
In short,configuring SFTP server with chroot ensures to generate a Jail like environment where users cannot access any folders beyond their home directory. Today, we saw how our Support Engineers configure SFTP server with chroot.
after doing this i am not able to login again as root via ssh
Hi,
Our experts can help you with the issue.we will be happy to talk to you through our live chat(click on the icon at right-bottom).