Configuring a chroot jail for sftp

Introduction

This page explains the procedure I used to set up a chroot jail for sftp users. It is largely based on this procedure.

Procedure

1. Edit /etc/ssh/sshd_config and change the following settings:

   Subsystem sftp internal-sftp

   and add the following settings at the bottom of the file:

   Match group sftponly
           ChrootDirectory %h
           X11Forwarding no
           AllowTcpForwarding no
           ForceCommand internal-sftp
           PasswordAuthentication yes     #  Optional
   

2. Create a group as follows:

   addgroup sftponly

3. Create users as in this example:

   FULLNAME="<full-name>"                 #  E.g. FULLNAME="Fred Bloggs"
   LOGIN="<first-name>"                   #  E.g. LOGIN=fred
   adduser --ingroup sftponly --disabled-login --gecos "$FULLNAME" $LOGIN
   chown -R root:root /home/$LOGIN
   mkdir /home/$LOGIN/writable
   chown $LOGIN /home/$LOGIN/writable

See also

• Computing
• http://www.debian-administration.org/article/590/OpenSSH_SFTP_chroot_with_ChrootDirectory