Set Up SFTP with Chroot on Ubuntu 24.04
You set up SFTP with chroot on Ubuntu 24.04 to securely restrict user file access to specific directories.
SFTP (SSH File Transfer Protocol) provides a secure way to transfer files using SSH, while chroot creates a confined virtual filesystem environment.
This configuration limits users to their designated home directory, preventing them from browsing outside it when they log in via SFTP.
For instance, you can grant a client access only to their project files without exposing your server’s entire file system.
Create a restricted group, add users to it, and then configure the SSH daemon’s `sshd_config` file to use `internal-sftp` and `ChrootDirectory` for that group. Restart the SSH service afterward.
Create restricted group
To restrict users, you should put them into a restricted group. For this tutorial, we’ll create a group named [chgroup].
Run the command below to create a new group.
sudo groupadd chgroup
Next, run the command below and put a user in the chgroup created above.
sudo usermod -aG chgroup username
Replace username in the command above with the account’s actual username.
Configure SSH
Now that you have created a group to restrict, open the SSH configuration file by running the command below.
sudo nano /etc/ssh/sshd_config
Adjust the highlighted settings in the file.
# override default of no subsystems
# comment out the line below
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
# add the lines below
Match Group chgroup
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /home
ForceCommand internal-sftp
Save the file and then exit.
Restart SSH by running the command below.
sudo systemctl restart ssh
Test SSH and sFTP
SSH will error out:
ssh richard@srv1.example.com's password:
This service allows sftp connections only.
Connection to srv1.example.com closed.
SFTP will succeed.
sftp richard@srv1.example.com's password:
Connected to srv1.example.com.
sftp>
You’re all set!
Conclusion:
Setting up a chroot restricted SFTP account on Ubuntu 24.04 enhances security by isolating user access to specific directories. Here are the key takeaways:
- Enhanced Security: Users are confined to their directory, minimizing the risk of unauthorized access to other users’ files.
- Group Management: Creating a specific group for SFTP users simplifies the management of user permissions and access.
- SSH Configuration: Proper configuration in the SSH settings is crucial for implementing chroot restrictions effectively.
- Testing: Always test your configuration to ensure that SFTP works as intended without compromising security measures.
Follow these steps to create a secure file transfer environment that’s still accessible for users.
Was this guide helpful?
About the Author
Richard
Tech Writer, IT Professional
Richard, a writer for Geek Rewind, is a tech enthusiast who loves breaking down complex IT topics into simple, easy-to-understand ideas. With years of hands-on experience in system administration and enterprise IT operations, he’s developed a knack for offering practical tips and solutions. Richard aims to make technology more accessible and actionable. He's deeply committed to the Geek Rewind community, always ready to answer questions and engage in discussions.
No comments yet — be the first to share your thoughts!