How to set up a SFTP server with users chrooted in their home directories? [duplicate]

That article also describes how to get a chrooted shell access, but since you just want a sftp-only account, just follow these instructions:

Edit /etc/ssh/sshd_config and add the lines:

SubSystem sftp internal-sftp
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

Find the line UsePAM yes and comment it:

#UsePAM yes

Without disabling this, my SSH server would crash on reloading/ restarting. Since I do not need fancy functions of PAM, this is fine.

For extra security, restrict the users who can login. If you forget to add SFTP users to the sftp group, you give them free shell access. Not a nice scenario. Because SSH cannot combine AllowUsers and AllowGroups (a login has to fulfill both rules), you've to create an additional group, say ssh-users. Add the users who are allowed to login (youruser below) over SSH:

sudo groupadd ssh-users
sudo gpasswd -a youruser ssh-users

And add the next line to /etc/ssh/sshd_config:

AllowGroups ssh-users sftp

Now proceed with modifying the permissions of the users home directory to allow for chrooting (example user sftp-user):

sudo chown root:sftp-user /home/sftp-user
sudo chmod 750 /home/sftp-user

Create a directory in which sftp-user is free to put any files in it:

sudo mkdir /home/sftp-user/public
sudo chown sftp-user: /home/sftp-user/public
sudo chmod 750 /home/sftp-user/public

Should you run in any problems, check /var/log/syslog and /var/log/auth.log for details. Run ssh or sftp with the -vvv option for debugging messages. For sftp, the option must appear before the host as in sftp -vvv user@host.


Just wanted to add that folder permissions up the directory tree need to be set a certain way.

sshd's strict ownership/permissions requirements dictate that every directory in the chroot path must be owned by root and only writable by the owner.

Source

I was having a very similar error, and fixing my directory permissions fixed the issue for me.


I'm using Ubuntu LTS 12.04 and after a lot of pain, this worked for me.

My Settings for /etc/ssh/sshd_config

Subsystem sftp internal-sftp -f AUTH -l VERBOSE
UsePAM yes
Match group sftp
  ChrootDirectory %h
  ForceCommand internal-sftp
  AllowTcpForwarding no
  1. create group sftp:

    groupadd sftp

  2. Create user directly with new sftp group attached:

    sudo useradd -d /ftpusers/HomeFolder -m UserName -g sftp -s /bin/false

  3. set permissions for use with ssh for sftp:

    chown root:root HomeFolder

    chmod 755 HomeFolder

  4. restart service:

    service ssh restart

Note, the home folder for the new sftp user has to be given root owner.


Here is a step by step guide to allow:

  1. SFTP access to /home/bob/uploads for user bob
  2. Lock bob out of SSH
  3. Use username/passwords rather than keys:

First, edit your /etc/ssh/sshd_config file:

sudo nano /etc/ssh/sshd

Scroll down and modify:

PasswordAuthentication yes

and add this at the bottom:

Match Group sftpusers
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no  

Press Ctrl-X to exit and save.

Now add the user:

sudo useradd bob
sudo passwd bob

Now add the groups and disable ssh:

sudo groupadd sftpusers
sudo usermod  -g sftpusers bob
sudo usermod -s /usr/bin/rssh bob
sudo usermod -d /home/bob bob

Now set permissions:

sudo chown root:root /home/bob/
sudo chmod 755 /home/bob/
sudo mkdir /home/bob/uploads
sudo chown bob /home/bob/uploads

sudo service sshd restart

All this is while logged in as a root user (ec2-user on Amazon Linux AMIs)