Introduction
This page explains the procedure I used to set up a chroot jail for sftp users. It is largely based on this procedure.
Procedure
- Edit /etc/ssh/sshd_config and change the following settings:
Subsystem sftp internal-sftp
and add the following settings at the bottom of the file:
Match group sftponly ChrootDirectory %h X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp PasswordAuthentication yes # Optional
- Create a group as follows:
addgroup sftponly
- Create users as in this example:
FULLNAME="<full-name>" # E.g. FULLNAME="Fred Bloggs" LOGIN="<first-name>" # E.g. LOGIN=fred adduser --ingroup sftponly --disabled-login --gecos "$FULLNAME" $LOGIN chown -R root:root /home/$LOGIN mkdir /home/$LOGIN/writable chown $LOGIN /home/$LOGIN/writable