While configuring a SFTP server for public use in your organization you will often require that user’s of the SFTP server can only access his home directory and its sub-directories. All other directories should be inaccessible to him so as to create a separation and maintaining security among all users. This is called “chroot-jail” in FTP terminology.

In this article we will learn how to setup such an environment.

 Chroot sftp is possible with openssh (openssh-server-4.3p2-30.el5). If you are using an older openssh version than this, upgrade it to openssh-server-4.3p2-30.el5 or later.

 Below is a sample chroot sftp configuration:

 1.  Create a specific chrooted directory.

[root@sftp~]# mkdir /chroot/home

 2.  Mount it to /home as follows:

[root@sftp~]#  mount -o bind /home /chroot/home

 3.  Edit /etc/ssh/sshd_config as follows:

 [root@sftp~]# vim /etc/ssh/sshd_config

ChrootDirectory /chroot

Subsystem sftp internal-sftp

Please ensure the directories of Chroot Directory, “/chroot” in this example, are root owned directories and are not writable by any other user or group. This affects all users, however. There is no per-user configuration.

 4. Restart SSH service

[root@sftp~]# service sshd restart

Posted in: Linux.
Last Modified: January 12, 2017

Leave a reply