Lock SFTP Users to Their Home Directory

randy

The solution to the age old problem of locking SFTP users into their home directory is setting up a chroot environment. This normally requires that you copy the necessary binaries and libraries so that your jailed users can make use of the allowed tools for file transfer.

As of OpenSSH 4.9p1, things have gotten a bit easier. OpenSSH has two features that make the task of locking users into their home directories a piece of cake. They are:

  1. A built in SFTP subsystem.
    With a built in SFTP subsystem, you no longer need binaries and the required libraries to provide the services necessary in a chroot environment. OpenSSH provides an internal SFTP subsystem.
  2. The Match keyword.
    This allows you to target specific users or groups in the sshd_config file and specify settings particular to them, like a chroot option and ForceCommand internal-sftp.

Getting it working is simple.

  1. Add a group called sftponly and add the users who you’d like to lock into their home directories to that group.
  2. Edit your sshd_config file (/etc/ssh/sshd_config if you’re on FreeBSD) and add the following to the bottom: 
    Match Group sftponly
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
        ChrootDirectory %h
  3. That’s it, HUP sshd (/etc/rc.d/sshd restart if you’re running FreeBSD) and test it out.

One thought on “Lock SFTP Users to Their Home Directory

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>