Tag: Configuring chroot sftp

Configuring chroot(ed) sftp

OpenSSH versions since 4.8 supports chroot(ed) sftp.  This has been made possible by a new SFTP subsystem statically linked to sshd. There is no need to add any patches, but just needs few tweaks to the ssh configuration (/etc/ssh/sshd_config). This one step further to removing unsecure ftp service from the server.

Steps to Configure chrooted sftp

Open the sshd config file

# vi /etc/ssh/sshd_config 

find and comment the line

Subsystem sftp /usr/libexec/openssh/sftp-server

then add the below after the commented above line

Subsystem sftp internal-sftp

With this change, sftp can be chrooted. Now let us update the config with rules, according to which chrooting will happen.

Let us create a group to start with

#  groupadd sftpuser

Towards end of the config file /etc/ssh/sshd_config update the below configuration values

Match Group sftpuser
ChrootDirectory %h
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp

%h – means the home directory of the authenticated user and the authenticated user should below to the group sftpuser for the chrooting to happen. You may also use %u as in /var/www/vhosts/abcd.com/httpdocs/%u, where %u means username of the user.

The directory which is to be chrooted must be owned by root user with a permission of 700 or 755.