How to Setup SFTP Chroot Jail in Linux
Setup SFTP Chroot Jail in linux – Restrict SFTP Users to specific directory.
In this article we are doing all the steps with screenshots. If you want to do quicker way you can go to "How to Setup SFTP Chroot Jail in Linux with Simple Steps"
SFTP is a SSH File Transfer Protocol or Secure File Transfer Protocol, similar to FTP. SFTP performs all operations over an encrypted ssh transfer.
SFTP Chroot Jail will restrict all SFTP users to specif directory.
Here we are going to install and configure SFTP Chroot Jail on Linux (Redhat, Ubuntu, Centos) with screenshots.
Step 1: Install and Configure SFTP on Linux
Most of Linux Distributions sftp would be installed by default with openssh server. On RHEL 7, RHEL 8, CentOS 7 & CentOS 8 we can check with “yum list openssh-*” and check “which sftp”
$ yum list openssh-*
$ which sftp
Ubuntu 16.04, Ubuntu 18 & Ubuntu 20.04 Linux servers you can use “sudo dpkg -l openssh-server” and check “which sftp”
$ sudo dpkg -l openssh-server
$ which sftp
Check difference between SFTP Chroot and SFTP Non-Chroot Environment:
When you configure SFTP as Non-Chroot Environment, if you access sftp server you can see any directories (even root’s file) inside your SFTP server, as shown in below:
SFTP Non-Chroot Environment:
Below you can see sftpuser1 access to sftp server and we can view ‘/’ folder
Access sftp Ubuntu 16, Ubuntu 18 & Ubuntu 20
Even sftpuser1 can download files from ‘/’, ‘/etc’ - Ubuntu 16, Ubuntu 18 & Ubuntu 20
Below you can see sftpuser1 access to sftp server and we can view ‘/’ folder
Access sftp RHEL 7, RHEL 8, CentOS 7 & CentOS 8
Even sftpuser1 can download files from ‘/’, ‘/etc’ - RHEL 7, RHEL 8, CentOS 7 & CentOS 8
As, you can see above with SFTP Non-Chroot Environment, sftpuser1 can access any folder on SFTP server. So, to solve this we will going to Setup SFTP Chroot Environment.
So, let us see after Setup SFTP Chroot Environment. What will be the difference...
Let us see how we can Setup SFTP Chroot Environment
Create a New Group
Create or Modify User to access SFTP Server
Append sshd_config file to setup sftp-server Subsystem
Specify Chroot Directory
Create SFTP home directory
Permission directories as per chroot
Restart & Test SFTP Chroot
1. Create a New Group
We will create new group called sftplinux-techies. We can restrict users from this group only can have automatically restrict to SFTP Chroot setup.
$ groupadd sftplinux-techies
2. Create or Modify User to access SFTP Server
Here we will create an user natasha-sftp
- username natasha-sftp
- assign user to sftplinux-techies group (which we created in last step)
- user home directory should be /natashasftp-uploading
- user should be allow to perform only sftp chroot access
- user should not be allow to SSH access
$ useradd -g sftplinux-techies -d /natashasftp-uploading -s /sbin/nologin natasha-sftp
3. Configure SSH to append sshd_config file to setup sftp-server Subsystem
We will configure SSH to make SFTP Chroot Environment
$ vi /etc/ssh/sshd_config
Search for “Subsystem”
Subsystem sftp /usr/libexec/openssh/sftp-server
Comment above line
#Subsystem sftp /usr/libexec/openssh/sftp-server
Add below line:
Subsystem sftp internal-sftp
4. Specify Chroot Directory
Go to end of the file and add below lines:
Match Group sftplinux-techies
ChrootDirectory /sftp-linuxtechies/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Save & exit by typing Esc 😡
Match group sftplinux-techies (which we have created in Step1)
ChrootDirectory /sftp-linuxtechies (this Directory we will be creating in our next step)
ForceCommand to internal-sftp
5. Create SFTP home directory
As we have specified /sftp-linuxtechies as ChrootDirectory above, we will create this directory. This will be your /home directory for all sftp users within sftp-linuxtechies group.
$ mkdir /sftplinux-techies
Create sub-directory for user, which is “natasha-sftp”
$ mkdir /sftplinux-techies/natasha-sftp
Create another sub-directory which we have given at the time of creating or modifying user in Step2 i.e. /natashasftp-uploading
$ mkdir /sftplinux-techies/natasha-sftp/natashasftp-uploading
All directories and sub-directory in one go:
$ mkdir -p /sftplinux-techies/natasha-sftp/natashasftp-uploading
This is the directory where sftp user can upload and download files. We have created folder called /sftplinux-techies/natasha-sftp this sub-directory will be the home directory for natasha-sftp user. When natasha-sftp user will connect as sftp to this sftp server and peform “cd /”, this user will going to see only content of /sftplinux-techies/natasha-sftp not the actual “/” of sftp server. This is what SFTP Chroot Environment or SFTP Chroot Jail.
We are restricting user to its home directory. Not the real ‘/’ when we hit “cd /”.
6. Permission directories as per chroot – This is most important one
Here we are going to set appropriate permissions for above created folders and sub-folders. As SFTP Chroot will work properly when we have appropriate permission.
- Folder: /sftplinux-techies/natasha-sftp/natashasftp-uploading
- Owner: natasha-sftp
- Group: sftplinux-techies
$ chown natasha-sftp:sftplinux-techies /sftplinux-techies/natasha-sftp/natashasftp-uploading
Result of above will be:
Permissions for /sftplinux-techies/natasha-sftp should be look likes below:
Permissions for /sftplinux-techies should be look likes below:
7. Restart & Test SFTP Chroot
After completing all the above steps successfully, restart sshd service.
$ systemctl restart sshd
Let test our newly Setup SFTP Chroot Environment
$ sftp natasha-sftp@xxx.xxx.xxx.xxx
Now, you can see natasha-sftp user see its home directory as /natashasftp-uploading. When we do "cd /" it home directory is /sftplinux-techies/natasha-sftp/. When we try to access "cd /etc" its giving "Couldn't canonicalize: No such file or directory". This is the beauty of SFTP Chroot Environment.
Summary
We have successfully Setup SFTP Chroot Jail in Linux. If you have any questions or comments please leave them here, or in linuxproguru.com comments section of this site.
