1.7 KiB
1.7 KiB
Chrooted SFTP-Only Access Configuration
This guide describes how to set up a chrooted environment with SFTP-only access for users, using SSH keys.
Prerequisites
- A server running GNU/Linux
- Root access to the server.
- OpenSSH installed and running.
Steps
1. Create a Chroot User
adduser <username>
2. Create SFTP Group
groupadd sftpusers
3. Add the User to SFTP Group
usermod -aG sftpusers <username>
4. Setup Chroot Directory
Create a directory for SFTP users, ensuring proper ownership and permissions.
mkdir -p /sftp/<username>
chown root:root /sftp
chmod 755 /sftp
mkdir /sftp/<username>
chown <username>:<username> /sftp/<username>
chmod 700 /sftp/<username>
5. Configure SSH for SFTP Access
Modify /etc/ssh/sshd_config to use internal SFTP and set restrictions.
-
Update the
Subsystemline:Subsystem sftp internal-sftp -
Add a
Matchblock at the end:Match Group sftpusers ChrootDirectory /sftp/%u ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no
6. Setup User's SSH Keys
Create and configure SSH directories for the user:
mkdir /home/<username>/.ssh
touch /home/<username>/.ssh/authorized_keys
chmod 700 /home/<username>/.ssh
chmod 600 /home/<username>/.ssh/authorized_keys
chown <username>:<username> /home/<username>/.ssh
chown <username>:<username> /home/<username>/.ssh/authorized_keys
Copy the public SSH key to /home/<username>/.ssh/authorized_keys.
7. Restart SSH Service
systemctl restart sshd
Verification
- Attempt an SFTP connection to verify restricted access.
- Ensure users cannot access the shell.