Geek Rewind

Set Up SFTP with Chroot on Ubuntu 24.04

Richard

ยท

This article outlines the process of setting up a chroot restricted SFTP account on Ubuntu 24.04, enhancing security by confining users to designated directories. Key steps include creating a restricted user group, adjusting SSH settings, and testing configurations to ensure proper functionality while minimizing unauthorized access risks.

This article explains how to set up a sFTP account with chroot restriction on Ubuntu 24.04.

SFTP (SSH File Transfer Protocol) is a secure file transfer protocol that operates over the secure shell (SSH) protocol.

Chroot, an abbreviation for “change root,” is a feature that restricts a directory for a running process and its children. When integrated with SFTP, a chroot environment imposes strict control, confining users to a specific directory and subdirectory.

This means users who log in via SFTP can’t navigate beyond their designated area, thereby enhancing security by isolating each user’s file access.

Create restricted group

To restrict users, you should put them into a restricted group. For this tutorial, we’ll create a group named [chgroup].

Run the command below to create a new group.

sudo groupadd chgroup

Next, run the command below and put a user in the chgroup created above.

sudo usermod -aG chgroup username

Replace username in the command above with the account’s actual username.

Configure SSH

Now that you have created a group to restrict, open the SSH configuration file by running the command below.

sudo nano /etc/ssh/sshd_config

Adjust the highlighted settings in the file.

# override default of no subsystems
# comment out the line below
#Subsystem      sftp    /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

# add the lines below
Match Group chgroup
    X11Forwarding no
    AllowTcpForwarding no
    ChrootDirectory /home
    ForceCommand internal-sftp

Save the file and exit.

Restart SSH by running the command below.

sudo  systemctl restart ssh

Test SSH and sFTP

SSH will error out:

ssh richard@srv1.example.com's password:
This service allows sftp connections only.
Connection to srv1.example.com closed.

SFTP will succeed.

sftp richard@srv1.example.com's password:
Connected to srv1.example.com.
sftp>

That should do it!

Conclusion:

Setting up a chroot restricted SFTP account on Ubuntu 24.04 enhances security by isolating user access to specific directories. Here are the key takeaways:

  • Enhanced Security: Users are confined to their directory, minimizing the risk of unauthorized access to other users’ files.
  • Group Management: Creating a specific group for SFTP users simplifies the management of user permissions and access.
  • SSH Configuration: Proper configuration in the SSH settings is crucial for implementing chroot restrictions effectively.
  • Testing: Always test your configuration to ensure that SFTP works as intended without compromising security measures.

By following these steps, you can ensure a secure file transfer environment while maintaining easy user access.

Related Posts

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *