Chrooted SFTP Without Shell Access
Sometimes you may need to give someone access to load files onto your server. I don’t like FTP because it’s insecure and frankly I don’t want to set up a FTP server just for that. The problem with SFTP is that the user can look through your folders and has shell access. To solve this, I’ve written this tutorial on how to set up a chrooted SFTP account without shell access.
First of all, edit the file
/etc/ssh/sshd_config and add/change the following:
#Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp Match Group sftp ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no
The first line changes the SFTP-Subsystem to the internal SFTP-Server which is better for chrooting.
The second line (Match Group sftp) causes the lines below to only affect users in the sftp usergroup.
ChrootDirectory %h binds the users to their home directory so they can’t see what’s outside.
The next line forces internal-sftp and the last one disables TCP forwarding.
Now you have to create a user with the appropriate settings.
groupadd sftp useradd -d /path/to/the/sftp/folder -s /bin/false -G sftp Username passwd Username
There is one more thing you have to care about. The home folder of this user has to be owned by root, else you won’t be able to login. Then you can create an upload folder for the user. For example:
chown root:root /path/to/sftp/folder mkdir /path/to/sftp/folder/uploads chown Username:Username /path/to/sftp/folder/uploads
I found most of the information about this at this German blog: http://madapez.com/it/linux/howto-chroot-sftp-zugang-openssh-ohne-shell-ssh/