Restrict SFTP users to home folder

Here is a guide for setting up SFTP users who’s access is restricted to their home directory.

Add the following to the end of the /etc/ssh/sshd_config file:

Subsystem sftp internal-sftp

# This section must be placed at the very end of sshd_config
Match Group sftponly
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

This means that all users in the ‘sftponly’ group will be chroot’d to their home directory, where they only will be able to run internal SFTP processes.

Now you can create the group sftponly by running the following command:

$ groupadd sftponly

From here on the example will be assume the user you want to apply this to is “steve” – you will need to change the commands accordingly.

Set a user’s group:

$ usermod -g sftponly steve

To deny SSH shell access, run the following command:

$ usermod -s /bin/false steve

And set the user’s home directory:

$ usermod -d /folder steve

Finally, you probably need to restart SSH

$ service ssh restart

The SSH part should now be in order, but you should make sure that file permissions also are correct. If the chroot environment is in a user’s home directory both /home and /home/username must be owned by root and should have permissions along the lines of 755 or 750.

In other words, every folder leading up to and including the home folder must be owned by root, otherwise you will get the following error after logging in:

Write failed: Broken pipe
Couldn't read packet: Connection reset by peer

Want to speed up your site? Try out Servebolt, and get 100€ off your first payment by using the campaign code GETSTARTED at signup. Check out Servebolt

I’m a webdeveloper based in Oslo, Norway. I currently work with web development at Nettmaker.

I would like to change the world, but they won’t give me the source…

11 Comments

Just made a map /TEST and adjusted the above config to this map. I can connect but can’t create or edit any file in this directory as a user test.
What am I doing wrong?

The folder you logged into is owned by the root user. You can either change permissions for that folder to allow anyone to write to it, or create a subfolder inside the home directory folder, and set the ownership to your sftp user.

When I change the permissions other then 750 or 755 to be able to write, I can’t log in anymore.
Putting the folder into the home directory I did not try. Should I make it owner and group of the user it owns?

I am able getting the Broken pipe error.
I want the new user to access only /var/www/example.com directory
If I donot add the rules in ssh config file then I can access sftp but it gives access to all files. I want to restrict the user to /var/www/example.com only. How can I resolve this ownership issue as you mentioned if root is not the owner for preceding folders then I will run into this issue. I used chown command but its not working. I am new to linux. Please guide me. Thanks.

In my sshd_config I have the following line.

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

Does this line above need to be commented out and replace with your line below?

Subsystem sftp internal-sftp

Or do I let both lines exist in the file?

I am getting the following error:
Connection to x.x.x.x closed by remote host.
Connection closed.

And I have no idea why. Any thoughts?

Leave a Reply

Your email address will not be published. Required fields are marked *