Bobcares

How to configure SFTP server with chroot ?

by | Oct 13, 2020

Secure File Transfer Protocol/SSH File Transfer Protocol (SFTP) is a common method used to transfer files securely.  Configuring SFTP server with chroot ensures to generate a Jail like environment where users cannot access any folders beyond their home directory.

As a part of our Server Management Services, we help our Customers to fix SFTP related errors regularly.

Let us today discuss the on how to configure SFTP server with chroot.

Create a Group for sftp using groupadd command

First step here is to create a group for SFTP. Open the terminal, create a group with a name “sftp_users” using below groupadd command:

root@server:~# groupadd sftp_users

 

Add Users to Group ‘sftp_users’ and set permissions

To create new user and want to add that user to ‘sftp_users’ group, then run the following command:

# useradd -m -G sftp_users <user_name>

Replace user_name in the command with the exact username. Set the password using following chpasswd command:

root@server:~# echo "user_name:<enter_password>" | chpasswd

To add existing users to ‘sftp_users’ group, then run beneath usermod command. Let us suppose already existing user name is ‘user1’.

root@server:~# usermod -G sftp_users user1

Now set the required permissions on Users.

root@server:~# chown root /home/user_name /home/user1/

Create an upload folder in both the user’s home directory and set the correct ownership:

mkdir /home/user_name/upload
mkdir /home/user1/upload
chown user_name /home/user_name/upload
chown user1 /home/user1/upload

Edit sftp configuration file

Sftp configuration file is  at “/etc/ssh/sshd_config“. Before making any changes, first take the backup with cp command. Then edit this file to add the following content:

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Match Group sftp_users
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp

Save and exit the file.

To make above changes into the affect, restart ssh service using following systemctl command:

root@server:~# systemctl restart sshd

In above ‘sshd_config’ file we have commented out the line which starts with “Subsystem” and added new entry “Subsystem sftp internal-sftp” and new lines like,

  • “Match Group sftp_users” – It means if a user is a part of ‘sftp_users’ group then apply rules which are mentioned below to this entry.
  • “ChrootDierctory %h” – It means users can only change directories within their respective home directories. They cannot access any other user’s and system’s directories.
  • “ForceCommand internal-sftp” – It means users are limited to sftp command only.

 

Test and Verify sftp

Login to any other Linux system which is on the same network of the sftp server and then try to ssh sftp server via the users that we have mapped in ‘sftp_users’ group.

We will most probably receive an message that “Write failed: Broken pipe”. It confirms that users are not allowed to SSH. Now if we try sftp using following command, we receive an output that we have connected to the server.

[root@web-server ~]# sftp user_name@IP_address

We can use the ‘get’ command to download a file. Also when we try to navigate to directories outside of the users’s home directory, it shows a message “Couldn’t stat remote file: No such file or directory”.

Similarly, we can use the ‘put’ command to upload files to the server.

[Need any further assistance to Configure SFTP Server with Chroot? – We’re available 24*7]

 

Conclusion

In short,configuring SFTP server with chroot ensures to generate a Jail like environment where users cannot access any folders beyond their home directory. Today, we saw how our Support Engineers configure SFTP server with chroot.

 

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

2 Comments

  1. Jota

    after doing this i am not able to login again as root via ssh

    Reply
    • Hiba Razak

      Hi,
      Our experts can help you with the issue.we will be happy to talk to you through our live chat(click on the icon at right-bottom).

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.