Creating SFTP jail chroot
Contents
- 1 Creating a Chroot SFTP Jail on Debian
- 1.1 Prerequisites
- 1.2 Step 1: Create an SFTP Group
- 1.3 Step 2: Create a New User with Limited Access
- 1.4 Step 3: Set Up the Chroot Directory Structure
- 1.5 Step 4: Configure SSH for Chroot SFTP
- 1.6 Step 5: Restart SSH
- 1.7 Step 6: Test the SFTP Jail
- 1.8 Optional: Restrict Permissions Further
- 1.9 Troubleshooting Tips
- 1.10 Summary
- 1.11 See Also
Creating a Chroot SFTP Jail on Debian
Setting up a chroot jail for SFTP (Secure File Transfer Protocol) enhances security by restricting users to a specific directory. This guide outlines how to create and configure an SFTP-only chroot jail on Debian-based systems, suitable for both VPS and dedicated servers.
Prerequisites
- Debian 10, 11, or 12 (or derivative such as Ubuntu)
- Root or sudo access
- OpenSSH server installed and running
Verify SSH is installed:
<syntaxhighlight lang="bash"> sudo apt update sudo apt install openssh-server -y </syntaxhighlight>
Step 1: Create an SFTP Group
Create a dedicated group for chrooted SFTP users.
<syntaxhighlight lang="bash"> sudo groupadd sftpusers </syntaxhighlight>
Step 2: Create a New User with Limited Access
Create a user, assign them to the SFTP group, and set a home directory outside of shared directories.
<syntaxhighlight lang="bash"> sudo useradd -m -d /home/sftp-user -s /usr/sbin/nologin -G sftpusers sftp-user sudo passwd sftp-user </syntaxhighlight>
This ensures the user cannot SSH into the server, only access SFTP.
Step 3: Set Up the Chroot Directory Structure
<syntaxhighlight lang="bash"> sudo mkdir -p /home/sftp-user/uploads sudo chown root:root /home/sftp-user sudo chmod 755 /home/sftp-user sudo chown sftp-user:sftpusers /home/sftp-user/uploads </syntaxhighlight>
- The chroot root must be owned by root and not writable by any other user.
- The actual upload area should be owned by the SFTP user.
Step 4: Configure SSH for Chroot SFTP
Edit the SSH configuration file:
<syntaxhighlight lang="bash"> sudo nano /etc/ssh/sshd_config </syntaxhighlight>
At the bottom of the file, add:
<syntaxhighlight lang="text"> Match Group sftpusers
ChrootDirectory %h ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no
</syntaxhighlight>
Save and close the file.
Step 5: Restart SSH
Apply the new SSH configuration:
<syntaxhighlight lang="bash"> sudo systemctl restart ssh </syntaxhighlight>
Step 6: Test the SFTP Jail
From a client system, test using:
<syntaxhighlight lang="bash"> sftp sftp-user@your_server_ip </syntaxhighlight>
The user should only be able to access the `/uploads` folder and not navigate outside their home directory.
Optional: Restrict Permissions Further
If you want to ensure additional restrictions:
- Use ACLs to manage access to shared folders
- Deny SSH access via `DenyUsers` directive if needed
Example:
<syntaxhighlight lang="text"> DenyUsers sftp-user </syntaxhighlight>
Troubleshooting Tips
- Ensure `/home/sftp-user` is owned by `root:root` and has `755` permissions.
- Check `sshd` logs for errors:
<syntaxhighlight lang="bash"> sudo journalctl -xe | grep ssh </syntaxhighlight>
- Verify SSH config syntax before restarting:
<syntaxhighlight lang="bash"> sudo sshd -t </syntaxhighlight>
Summary
| Step | Command or File | Purpose |
|---|---|---|
| 1 | groupadd sftpusers |
Create SFTP-only group |
| 2 | useradd -m -d /home/sftp-user -s /usr/sbin/nologin -G sftpusers sftp-user |
Add restricted user |
| 3 | mkdir /uploads, permission setup |
Isolate upload area |
| 4 | /etc/ssh/sshd_config |
Force internal-sftp in chroot |
| 5 | systemctl restart ssh |
Apply config |
| 6 | sftp user@ip |
Test restricted login |
