This mini how-to addresses jailing of SFTP users (SFTP = SSH File Transfer Protocol), which means restrict user’s access to their home directory. It will also disable shell login, therefore additional configuration must be done to allow restricted shell access, all finers pointing towards http://olivier.sessink.nl/jailkit/
• Edit your
• Find the line where
/usr/libexec/openssh/sftp-server resides (path is distribution dependant)
• Replace it with
internal-sftp. The whole line should look:
Subsystem sftp internal-sftp
• Create a group “upload” or “sftpusers” – something intuitive. Every user that you want to grant upload access via SFTP must be a member of this group.
• In your sshd_config file add:
Match Group upload ChrootDirectory %h AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp
NB: Further access can be enforced by playing with
Match Group X or
Match user Y.
• Check for errors by doing a fast
service sshd reload
• Next, add a group under which we will gather all accounts that we want to allow upload access. I’m going to add a system user (no login) and a group with the same name.
adduser --system --group upload for Debian
adduser -M -s /bin/false upload for CentOS
• Issue the following commands
chown -R root:root /home
chmod -R 755 /home
usermod -aG upload user1 ; usermod -aG upload user2 etc.
chown -R user1:upload /home/user1/directory_you_wish_to_be_writeable
(tip: wildcard is supported, eg
chown -R user1:upload /home/user1/*/www )
• At this point you need to
service sshd restart and check for any errors.
• Final exam: simply login with FileZilla (SFTP!) or your client of choice and try to