How to Restrict SFTP with Chroot on Ubuntu Linux

|

|

The content provides a detailed tutorial on setting up a secure SFTP server on Ubuntu systems with chroot enabled. It guides through installing the Open SSH server, configuring the SFTP settings, creating an SFTP user group, and promoting user restrictions via chroot. After set-up, users can securely interact with their server directories via an FTP…

This article explains how to restrict sFTP with Chroot on Ubuntu Linux.

Configuring the sFTP protocol allows for a more secure transfer of files between the SFTP host and client machines. An even more secure implementation will be to enable chroot. A chroot isolates applications from the rest of your computer by putting them in jail.

The reason to restrict SFTP with Chroot on Ubuntu Linux is to enhance file transfer security between server and client machines. FTP is inherently insecure, so SFTP is a more secure option for file transfer.

However, enabling chroot on top of SFTP adds an extra layer of security. Chroot isolates the user’s account and restricts access to only their directory and files within the directory.

This ensures that users can only access what they are authorized to and nothing else on the system.

To get started, continue with the steps below

Install Open SSH Server

If you haven’t installed the Open SSH server, run the commands below to install it.

sudo apt update
sudo apt install openssh-server

After installing, the commands below can stop, start, and enable the service to start when the server boots.

sudo systemctl stop ssh.service
sudo systemctl start ssh.service
sudo systemctl enable ssh.service

Configure SFTP

Now that OpenSSH Server is installed open its default configuration file by running the commands below.

sudo nano /etc/ssh/sshd_config

Then, edit the file and change the highlighted line below. Add the  # before the first line, then add the highlighted line below to enable SFTP. This will change the subsystem to internal-sftp only.

# override default of no subsystems
#Subsystem      sftp    /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Next, add the lines below at the end of the file or just below the highlighted line above.

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
Match Group sftp_users
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /home
ForceCommand internal-sftp

Save the file and exit.

After editing the file, run the commands below to restart OpenSSH Server.

sudo systemctl restart ssh.service

Create SFTP Group

Now that you have defined your SFTP settings and set them to match the sftp_users. Create a sftp_users group, then add users you want to restrict via chroot. To create the group, run the commands below.

sudo groupadd sftp_users

Now, add any user to the group by running the commands below.

sudo usermod -aG sftp_users richard

Replace user richard with your Ubuntu account name. This will add the user to the sftp_users group you created above.

That’s it! Your system should be configured for secure SFTP for your users.

Users can securely use their favorite FTP client, Filezilla, to connect to the server via SFTP protocol. Users will be restricted to their directories and nowhere else.

Make sure to select SFTP connection in Filezilla.

When you connect, you’ll be prompted to accept the server key. Accept it and continue.

Connect and use the SFTP service.

Enjoy!

Like this:



10 responses to “How to Restrict SFTP with Chroot on Ubuntu Linux”

  1. Wallis Avatar
    Wallis

    Great article – many thanks
    A quick question, all users have access to their private sftp directory, how do you enable all of them to a shared directory?

    1. Benjamin Wolverton Avatar
      Benjamin Wolverton

      This is missing that you have to set the user to be owned by root and you need to change the login to /bin/false you can do all of that and create a new and assign them to the group all in one command:
      —Note: where it say “username” enter the name of the new user you want to create and assign them to the group—
      sudo useradd -g sftponly -s /bin/false -m -d /home/username username
      The -g sftponly option will add the user to the sftponly group.
      The -s /bin/false option sets the user’s login shell. By setting the login shell to /bin/false the user will not be able to login to the server via SSH.
      The -m -d /home/username options tells useradd to create the user home directory.

  2. loki Avatar
    loki

    Connection refused …
    Thanks!

  3. Gavin Simpson Avatar
    Gavin Simpson

    Well explained, thanks. Worked 100% first time which is pretty rare these days 🙂

    Perhaps you could elaborate a bit, by adding keys to the process instead of passwords.

  4. Keegan Jacobson Avatar
    Keegan Jacobson

    Your first command ‘sudo update’ isn’t a valid command- I believe you mean ‘sudo apt-get update’

    1. Student Avatar
      Student

      Thanks, updated

  5. dals Avatar
    dals

    Works great. But I didn’t do my homework and I changed /etc/ssh/sshd_config without thinking. Now I can’t connect to the server again. I don’t have physical access… wat do? Seriously though, I’m in trouble now.

  6. cizi Avatar
    cizi

    OK, used this settings but my ssh with ssh key stopped working. Any idea what can be wrong?

    1. Benjamin Wolverton Avatar
      Benjamin Wolverton

      This is missing that you have to set the user to be owned by root and you need to change the login to /bin/false you can do all of that and create a new and assign them to the group all in one command:
      —Note: where it say “username” enter the name of the new user you want to create and assign them to the group—
      sudo useradd -g sftponly -s /bin/false -m -d /home/username username
      The -g sftponly option will add the user to the sftponly group.
      The -s /bin/false option sets the user’s login shell. By setting the login shell to /bin/false the user will not be able to login to the server via SSH.
      The -m -d /home/username options tells useradd to create the user home directory.

  7. Quark Avatar
    Quark

    Hi, I can’t connect to the server and in the sshd_config file, My first line isn’t the same as yours and I can’t find the text of your first line in any other so I’m a bit lost.
    I’ve done all the rest steps

Leave a Reply to Student Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.