How to Restrict SFTP Users to Home Directories Using chroot Jail
In this tutorial, we will be discussing how to restrict SFTP users to their home directories or specific directories. It means the user can only access his/her respective home directory, not the entire file system.
Restricting users home directories is vital, especially in a shared server environment, so that an unauthorized user won’t sneak peek into the other user’s files and folders.
Important: Please also note that the purpose of this article is to provide SFTP access only, not SSH logins, by following this article will have the permissions to do file transfer, but not allowed to do a remote SSH session.
The simplest way to do this, is to create a chrooted jail environment for SFTP access. This method is same for all Unix/Linux operating systems. Using chrooted environment, we can restrict users either to their home directory or to a specific directory.
Restrict Users to Home Directories
In this section, we will create new group called sftpgroup and assign correct ownership and permissions to user accounts. There are two choices to restrict users to home or specific directories, we will see both way in this article.
Create or Modify Users and Groups
Let us restrict the existing user, for example hacktesec
, to his/her home directory named /home/
hacktesec. For this, you need to create a new sftpgroup group using groupadd command as shown:
# groupadd sftpgroup
Next, assign the user ‘hacktesec’ to sftpgroup group.
# usermod -G sftpgroup hackthesec
You can also create a new user using useradd command, for example senthil
and assign the user tosftpusers group.
# adduser senthil -g sftpgroup -s /sbin/nologin
# passwd hackthesec
Modify SSH Configuration File
Open and add the following lines to /etc/ssh/sshd_config
configuration file.
Subsystem sftp internal-sftp
Match Group sftpgroup
ChrootDirectory /home
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
Save and exit the file, restart sshd service to take new changes into effect.
# systemctl restart sshd
OR
# service sshd restart
If you chroot multiple users to the same directory, you should change the permissions of each user’s home directory in order to prevent all users to browse the home directories of the each other users.
# chmod 700 /home/hackthesec
Verify SSH and SFTP Users Login
Now, it’s time to check the login from a local system. Try to ssh your remote system from your local system.
# ssh hackthesec@192.168.1.150
Here,
- hacktesec – remote system’s username.
- 192.168.1.150 – Remote system’s IP address.
Sample output:
hackthesec@192.168.1.150's password:
Could not chdir to home directory /home/hackthesec: No such file or directory
This service allows sftp connections only.
Connection to 192.168.1.150 closed.
Then, access remote system using SFTP.
# sftp hackthesec@192.168.1.150
Sample output:
hackthesec@192.168.1.150's password:
Connected to 192.168.1.150.
sftp>
Let us check the current working directory:
sftp> pwd
Remote working directory: /
sftp> ls
hackthesec
Here, hackthesec is the home directory. Cd to the hackthesec directory and create the files or folders of your choice.
sftp> cd hackthesec
Remote working directory: /
sftp> mkdir test
hackthesec
Restrict Users to a Specific Directory
In our previous example, we restrict the existing users to the home directory. Now, we will see how to restrict a new user to a custom directory.
Create Group and New Users
Create a new group sftpgroup
.
# groupadd sftpgroup
Next, create a directory for SFTP group and assign permissions for the root user.
# mkdir -p /sftpusers/chroot
# chown root:root /sftpusers/chroot/
Next, create new directories for each user, to which they will have full access. For example, we will create hackthesec user and it’s new home directory with correct group permission using following series of commands.
# adduser hackthesec -g sftpgroup -s /sbin/nologin
# passwd hackthesec
# mkdir /sftpusers/chroot/hackthesec
# chown hackthesec:sftpgroup /sftpusers/chroot/hackthesec/
# chmod 700 /sftpusers/chroot/hackthesec/
Configure SSH for SFTP Access
Modify or add the following lines at the end of the file:
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftpgroup
ChrootDirectory /sftpusers/chroot/
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
Save and exit the file. Restart sshd service to take effect the saved changes.
# systemctl restart sshd
OR
# service sshd restart
That’s it, you can check by logging into the your remote SSH and SFTP server by using the step provided above at Verify SSH and SFTP login.
Be mindful that this method will disable the shell access, i.e you can’t access the remote system’s shell session using SSH. You can only access the remote systems via SFTP and do file transfer to and from the local and remote systems.