How To Setup Chrooted SFTP In Linux

Setup Chrooted SFTP In Linux

I have an old system sitting idle in my room. I wanted to make use of it for something useful. After a few google searches, I came to a decision to setup a secure file server to share and manage data for my family members. At the same time, I wanted it to be bit secure. So, I am going to setup Chrooted SFTP to allow the users to connect through SFTP, but not allow them to connect through SSH. In other words, I am going to force the users to a specific directory and set their shell to /bin/nologin or some other shell that denies access to a ssh login. Are we clear? Good. Now, let us go ahead and see how to setup Chrooted SFTP in Unix-like systems. It is not that difficult either. We can do this in couple steps. Read on.

Setup Chrooted SFTP In Linux

Starting from version 4.9, openSSH has a feature known as internal-sftp subsystem which allows only SFTP access, but not SSH access. So, the users can be able to access only the data from the server, but they can’t access it using SSH.

Create Chrooted directory

First, Create a specific chrooted directory using command:

sudo mkdir /sftp

Make this directory fully owned by root user using command:

sudo chown root:root /sftp/

Under this directory, create separate directories for each user, like /sftp/user1, /sftp/user2, and /sftp/user3 and so on.

For the purpose of this guide, I am going to create a directory called ostechnix under /sftp directory.

sudo mkdir /sftp/ostechnix

This is the directory where the users can save the data. Also, the users can’t go beyond this directory. It’s just like their HOME directory.

Create sftp group and assign users to that group

Now, we need to create the users to be able to access SFTP chrooted directory.

Create a group called sftponly as shown in the following command:

sudo groupadd sftponly

Then, create new SFTP users or assign existing users to the “sftponly” group as shown below.

To create a new user, for example senthil, and assign him to the group called “sftponly”. And then, setup his home directory as /sftp/ostechnix and the default shell as /sbin/nologin.

We can do this using the following online command:

sudo useradd -g sftponly -d /ostechnix -s /sbin/nologin senthil

Set password for the newly-created user using command:

sudo passwd senthil

To modify the existing user, use “usermod” instead of “useradd” command like below:

sudo usermod -g sftponly -d /ostechnix -s /sbin/nologin senthil

Assign proper permissions to the Chrooted directory

You need to assign proper permissions to the SFTP users to access their HOME directory like below.

sudo chown senthil:sftponly /sftp/ostechnix
sudo chmod 700 /sftp/ostechnix/

The other SFTP users can’t access this directory.

Similarly, assign appropriate permissions to all other SFTP users as well.

Configure Chrooted SFTP

Edit /etc/ssh/sshd_config file:

sudo vi /etc/ssh/sshd_config

Find and comment out the following lines (I.e add # in-front of it to comment out).

#Subsystem       sftp    /usr/libexec/openssh/sftp-server

Next, add the following lines at the end of the file:

Subsystem       sftp    internal-sftp
Match group sftponly
     ChrootDirectory /sftp/
     X11Forwarding no
     AllowTcpForwarding no
     ForceCommand internal-sftp

Save and exit the file. Restart ssh service to update the changes.

sudo systemctl restart sshd

Now, try to SSH to the system using the sftp user (i.e senthil in our case). You will get the following error message.

$ ssh [email protected]
[email protected]'s password: 
This service allows sftp connections only.
Connection to closed.

Here, is my remote system’s IP address.

You can only access the remote system using sftp as shown below.

$ sftp [email protected]
[email protected]'s password: 
Connected to

And, that’s all for now folks. Hope this helps. We will be posting useful guides everyday. Keep visiting!


Thanks for stopping by!

Help us to help you:

Have a Good day!!

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.