Chroot SFTP connection

With the new version of OPENSSH CHRoot has become was easier, with the user of ChrootDirectory

For this example we will user the following

username – sftpuser

group – sftponly

Ensure the latest OPENSSH is installed a guide can be found here

cd /etc/ssh

vi sshd_config

Navigate to the bottom

comment out any Subsytem lines and add the following

Subsystem       sftp    internal-sftp

Macth Group sftponly    sftponly is the group name that you have allocated and want to limit access to

ChrootDirectory %h

ForceCommand internal-sftp

AllowTcpForwarding no

My file looks like this

# override default of no subsystems
#Subsystem      sftp    /usr/local/libexec/sftp-server
Subsystem       sftp    internal-sftp

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server

Match Group sftponly
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory %h

Save and exit the file

groupadd sftponly
chown root:root /home
chmod 755 /home


useradd sftpuser

usermod -g sftponly sftpuser
usermod -s /bin/false sftpuser
usermod -d /home/sftpuser sftpuser
passwd sftpuser

To create the jail

chmod 755 /home/sftpuser
chown root:root /home/sftpuser
mkdir /home/sftpuser/xxxxx     where xxxxx is a directory name of your choice
chown sftpuser:sftponly /home/sftpuser/xxxxx

to see if this works

ssh sftpuser@x.x.x.x

It will prompt for a password, it should allow the password and then close the session down

sftp sftpuser@x.x.x.x

It will prompt for a password and then take you to the home directory, you must cd into the directory created to put files.


You often need to have the user logon seamlessly from another system.

For this to happen make sure the same user is set up on the remote system


ssh-keygen -t rsa

Press enter for the default option to storing the key in the home directory and do not enter a pass phrase

This key then needs to be copied to the server that has just beem CHROOTED

cat /home/xxxxx/.ssh/ | ssh xxxx@server ‘cat >> /home/xxxxx/.ssh/authorized_keys’

cat /home/xxxxx/.ssh/ | ssh xxxx@server ‘cat >> /home/xxxxx/.ssh/authorized_keys2’

Some system need the authorized_keys2 file, a good explanation of this process can be found here


This in one of the areas that can be a pain in the arse, drop me a line if you need help or have some more to add to this post. There are a lot of people out there wanting to do this based on the hits on this particular blog.




One Comment on “Chroot SFTP connection”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s