Configuring Jailed SFTP

By default if you do service ssh start you can access the Linux system remotely using sftp or ssh. Supposed you want to restrict non-root users to /home/sftp through sftp you can do the following:

First you can check if there is a group for sftp:

cat /etc/group |grep sftp 

If nothing is shown then sftp group is non-existent. Create a group sftp:

root@bt:~# addgroup sftp
Adding group `sftp’ (GID 1001) …

root@bt:~# cat /etc/group |grep sftp

The next is to create user and attached them to group sftp.


root@bt:~# adduser –home /home/sftp sftpuser
Adding user `sftpuser’ …
Adding new group `sftpuser’ (1002) …
Adding new user `sftpuser’ (1001) with group `sftpuser’ …
Creating home directory `/home/sftpuser’ …
Copying files from `/etc/skel’ …
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for sftpuser
Enter the new value, or press ENTER for the default
Full Name []: SFTP user
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y

root@bt:~# adduser sftpuser sftp
Adding user `sftpuser’ to group `sftp’ …
Adding user sftpuser to group sftp

Edit the sshd config file in /etc/ssh/sshd_config:

Look for key word Subsystem, you will find a default clause that looks like this:

Subsystem sftp /usr/lib/openssh/sftp-server

Changed to this:

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Scroll down until the end of file and add these:

Match group sftp
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Save the config file and exit.

This is to change /home/sftpuser directory to a root directory when sftpuser logs in, this is to jail sftpuser only to /home/sftpuser and no where else.

chown root:root /home/sftpuser

usermod -d / sftpuser

Originally I made sftpuser to be in /home/sftpuser but I failed to jail it, sftp user can break out of /home/sftpuser and go anywhere within the system. Now I shall test the jailing by sftping to my localhost.

root@bt:~# sftp sftpuser@localhost
Connecting to localhost…
sftpuser@localhost’s password:
sftp> ls
sftp> pwd
Remote working directory: /

sftp> cd ../../../
sftp> pwd
Remote working directory: /
sftp> ls



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s