Chrooted SFTP Without Shell Access

Sun, May 20, 2012 2-minute read

Sometimes you may need to give someone access to load files onto your server. I don’t like FTP because it’s insecure and frankly I don’t want to set up a FTP server just for that. The problem with SFTP is that the user can look through your folders and has shell access. To solve this, I’ve written this tutorial on how to set up a chrooted SFTP account without shell access.

First of all, edit the file /etc/ssh/sshd_config and add/change the following:

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Match Group sftp
        ChrootDirectory %h
        ForceCommand internal-sftp
        AllowTcpForwarding no

The first line changes the SFTP-Subsystem to the internal SFTP-Server which is better for chrooting.

The second line (Match Group sftp) causes the lines below to only affect users in the sftp usergroup.

ChrootDirectory %h binds the users to their home directory so they can’t see what’s outside.

The next line forces internal-sftp and the last one disables TCP forwarding.

That’s it.

Now you have to create a user with the appropriate settings.

groupadd sftp
useradd -d /path/to/the/sftp/folder -s /bin/false -G sftp Username
passwd Username

There is one more thing you have to care about. The home folder of this user has to be owned by root, else you won’t be able to login. Then you can create an upload folder for the user. For example:

chown root:root /path/to/sftp/folder
mkdir /path/to/sftp/folder/uploads
chown Username:Username /path/to/sftp/folder/uploads

I found most of the information about this at this German blog: