How do I restrict SFTP users to their home directory?

I often have to share resources with clients,  but allowing them to “play” with the entire file system of the web app, might end up in disaster.

That’s why I decided to write this little guide on how to restrict SFTP users to their home directory and share folders.

RESTRICT SFTP ACCESS TO HOME DIRECTORY

First, we need to modify the sshd_config file which contains all the ssh configurations.

sudo nano /etc/ssh/sshd_config

Make sure the following line is enabled, otherwise add it yourself.

Subsystem sftp internal-sftp  -f AUTH -l VERBOSE

On DigitalOcean I had the following line, which I replaced.

Subsystem sftp /usr/lib/openssh/sftp-server

At the end of the file, add the following, make sure that the /home/myuser folder is owned by root.

This configuration will block the user to ssh connect to the server and restrict her to the home directory myuser.

Match User myuser
       ChrootDirectory /home/myuser
       ForceCommand internal-sftp
       AllowTcpForwarding no
       X11Forwarding no

Now we just need to restart the ssh service

sudo service ssh restart

Normally we would use the ln -s command to do a symlink but when using chroot to restrict access to the home directory, that command won’t work.

Luckily the mount command comes in our help, using the option bind  we are able to link the resource [/var/www/myfolder/var] into the user home directory in the folder import.

cd /home/myuser
mount -o bind /var/www/myfolder/var/import import

Please note that if you reboot the server, you will have to re-run this command.

I hope this article will help all of you that are trying to achieve the same with your lovely clients.

Move to user1 directory and now you have access to create files or folders. If you try to access any other directories, error occurs.

sftp>  cd user1
sftp>  cd /root
Couldn' t canonicalise: No such file or directory

2. Restricting SFTP Users to a Specific Directory

In ssh configuration file, change the " ChrootDirectory" to any other directory that you want to restrict. Here, we are restricting /project/files.

[[email protected] ~]# usermod -G group1 user1

Create the directory, as we mentioned in the ssh configuration file.

[[email protected] ~]# usermod -G group1 user1

Now restart sshd service to bring the changes into effect.

[[email protected] ~]# systemctl restart sshd
OR
[[email protected] ~]# service sshd restart

Q

How to restrict multiple users to their own home directories

A

Change the /home to whichever directory you need the user should restricted to. Eg: ChrootDirectory /home/

Q

rsync error: protocol incompatibility [code 2] at /SourceCache/rsync/rsync-42/rsync/compat.c[61] [receiver=2.6.9] Any ideas? Thanks

A

I think its due to different versions of rsync installed on servers, make sure you have same version of rsync or may be different flavors of Linux distros used here, you need to check..

Q

Thanks for the article. I’m learning about SFTP now and was curious and wanted to know how to CHROOT its users from Centos 7.

A

You’re better of creating a SFTP root as /home/sftproot and then putting your SFTP users home directories under /home/sftproot/home. Then when that user logs in they’ll automatically get put

Q

is there any sftp command to use encrytion

A

follow this link : //www.linuxhelp.com/sftp-command-transfer-encrypted-files/

Q

I meant I can not reach my odoo server locally anymore?

A

If you remove the 127.0.0.1 part and restart the server you will be able to run it locally on port 8069.

In this article I will share step by step guide on how to configure sftp server in Linux with examples covering the below topics in detail:

• Install sftp on Linux
• Configure sftp chroot
• Create sftp user/Create sftp group
• sftp restrict user to specific directory
• sftp chroot multiple directories

sftp is a file transfer program, similar to ftp, which performs all operations over an encrypted ssh transport. It may also use many features of ssh, such as public key authentication and compression.

Advertisement

Lab Environment

I have created two Virtual Machines with CentOS 8 on Oracle VirtualBox in Linux server. I will use these two Virtual Machines to configure and verify sftp restrict user to specific directory and sftp chroot multiple directories with examples. Most of the steps from this article should also work on other Linux distributions such as SuSE, Ubuntu etc, if you face any issues do let me know using the comment section from this page.

We will configure sftp chroot jail on

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

 server1server2Hostnameserver1.example.comserver2.example.comIP Address10.10.10.1410.10.10.13Setup SFTPas client
[which initiates sftp connection]as server
[sftp server]OSCentOS 8CentOS 8

ALSO READ: SOLVED: SSH fails with postponed publickey error

Step 1: Install sftp on Linux

On most Linux distributions

[root@server2 ~]# usermod --shell /bin/false deepak

[root@server2 ~]# usermod --shell /bin/false deepak

HINT:

Based on distribution

[root@server2 ~]# usermod --shell /bin/false deepak

[root@server2 ~]# usermod --shell /bin/false deepak

[root@server1 ~]# which sftp
/usr/bin/sftp

Step 2: Create SFTP User

I will create sftp user [

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

To create sftp user "

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

[root@server2 ~]# usermod --shell /bin/false deepak

Advertisement

[root@server2 ~]# useradd -m deepak

Check user details:

[root@server2 ~]# id deepak
uid=1003[deepak] gid=1003[deepak] groups=1003[deepak]

The user's home directory is owned by

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

[root@server2 ~]# ls -ld /home/deepak/
drwx------ 2 deepak deepak 4096 Mar 30 18:48 /home/deepak/

Assign password to sftp user deepak:

[root@server2 ~]# passwd deepak
Changing password for user deepak.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Change the shell of the sftp user to

[root@server2 ~]# usermod --shell /bin/false deepak

[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false

[root@server2 ~]# usermod --shell /bin/false deepak

Verify the user

[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false

[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false

HINT:

We could have also used

[root@server2 ~]# grep deepak /etc/passwd
deepak:x:1003:1003::/home/deepak:/bin/false

Step 3: Create SFTP Group [Optional]

In this article to demonstrate sftp restrict user to specific directory, I will use sftp user instead of sftp group. But if you have a requirement to implement group level sftp chroot jail then you can also create sftp group using below steps:

[root@server2 ~]# groupadd sftpusers