Geek Rewind

Set Up SFTP with Chroot on Ubuntu 24.04

This article explains how to set up a sFTP account with chroot restriction on Ubuntu 24.04.

SFTP (SSH File Transfer Protocol) is a secure file transfer protocol that operates over the secure shell (SSH) protocol.

Chroot, an abbreviation for “change root,” is a feature that restricts a directory for a running process and its children. When integrated with SFTP, a chroot environment imposes strict control, confining users to a specific directory and subdirectory.

This means users who log in via SFTP can’t navigate beyond their designated area, thereby enhancing security by isolating each user’s file access.

Create restricted group

To restrict users, you should put them into a restricted group. For this tutorial, we’ll create a group named [chgroup].

Run the command below to create a new group.

sudo groupadd chgroup

Next, run the command below and put a user in the chgroup created above.

sudo usermod -aG chgroup username

Replace username in the command above with the account’s actual username.

Configure SSH

Now that you have created a group to restrict, open the SSH configuration file by running the command below.

sudo nano /etc/ssh/sshd_config

Adjust the highlighted settings in the file.

# override default of no subsystems
# comment out the line below
#Subsystem      sftp    /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

# add the lines below
Match Group chgroup
    X11Forwarding no
    AllowTcpForwarding no
    ChrootDirectory /home
    ForceCommand internal-sftp

Save the file and exit.

Restart SSH by running the command below.

sudo  systemctl restart ssh

Test SSH and sFTP

SSH will error out:

ssh [email protected]'s password:
This service allows sftp connections only.
Connection to srv1.example.com closed.

SFTP will succeed.

sftp [email protected]'s password:
Connected to srv1.example.com.
sftp>

That should do it!

Conclusion:

Setting up a chroot restricted SFTP account on Ubuntu 24.04 enhances security by isolating user access to specific directories. Here are the key takeaways:

  • Enhanced Security: Users are confined to their directory, minimizing the risk of unauthorized access to other users’ files.
  • Group Management: Creating a specific group for SFTP users simplifies the management of user permissions and access.
  • SSH Configuration: Proper configuration in the SSH settings is crucial for implementing chroot restrictions effectively.
  • Testing: Always test your configuration to ensure that SFTP works as intended without compromising security measures.

By following these steps, you can ensure a secure file transfer environment while maintaining easy user access.

Frequently Asked Questions

What is SFTP and how does it work?

SFTP, or SSH File Transfer Protocol, is a secure method for transferring files over a network. It operates over the secure shell (SSH) protocol, providing encryption and secure authentication for file transfers.

What does chroot mean in the context of SFTP?

Chroot, short for 'change root', is a mechanism that restricts a process to a specific directory and its subdirectories. When used with SFTP, it confines users to their designated directories, enhancing security by preventing access to the broader file system.

How do I create a restricted group for SFTP users on Ubuntu?

To create a restricted group for SFTP users on Ubuntu, use the command 'sudo groupadd chgroup' to create the group. Then, add users to this group with 'sudo usermod -aG chgroup username', replacing 'username' with the actual user's name.

What changes do I need to make in the SSH configuration for chroot?

In the SSH configuration file '/etc/ssh/sshd_config', you need to uncomment the 'Subsystem sftp' line and add specific settings under 'Match Group chgroup'. These settings include disabling X11 forwarding, TCP forwarding, and specifying the ChrootDirectory.

How can I test if my SFTP setup with chroot is working correctly?

To test your SFTP setup, attempt to connect using the SFTP command. If configured correctly, the connection should succeed, allowing access only to the specified directory, while SSH connections should indicate that only SFTP is allowed.

Categories:

Tags:

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *