Use chroot to restrict SFTP users to the home directory


In this tutorial, we will discuss how to restrict SFTP users to their home directory or specific directory. This means that users can only access their respective home directories, not the entire file system.

It is important to restrict users' home directories, especially in a shared server environment, so that unauthorized users will not peep into other users' files and folders.

Important note: please also note that the purpose of this article is to provide only SFTP access, not SSH login. By following this article, you will have the permission to perform file transfer, but remote SSH session is not allowed.

Recommended reading: Use Chrooted Jail to restrict SSH users from accessing certain directories

1. Restrict users to home directory

In this section, we will create a new group called sftpgroup and assign the correct ownership and permissions to the user account. There are two options to restrict users to home directories or specific directories, and we'll see both in this article.

1.1 create or modify users and groups

Let's limit an existing user to, for example, tecmint his / her home directory / home/tecmint. To do this, you need to use the groupadd command to create a new sftpgroup, as follows:

#groupadd sftpgroup

Next, assign the user "tecmint" to the sftpgroup.

#usermod -G sftpgroup tecmint

For example, you can also use the useradd command to create a new user, senthil, and assign the user to the sftpusers group.

#adduser sendhil -g sftpgroup -s / sbin / nologin
#passwd tecmint

1.2 modify SSH configuration file

Open and add the following line to / etc/ssh/sshd_config configuration file.

Subsystem sftp internal-sftp
   Match Group sftpgroup
   ChrootDirectory /home
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no

Save and exit the file and restart the sshd service for the new changes to take effect.

# systemctl restart sshd
OR
# service sshd restart

If multiple users chroot to the same directory, you should change the permissions of each user's home directory to prevent all users from browsing other users' home directories.

#chmod 700 /home/tecmint

1.3 verify SSH and SFTP user login

Now, it's time to check the login information from the local system. Attempt to SSH the remote system from the local system.

#SSH tecmint@192.168.1.150

here,

  • tecmint – username of the remote system.
  • 192.168.1.150 – IP address of the remote system.

Output:

tecmint@192.168.1.150's password: 
Could not chdir to home directory /home/tecmint: No such file or directory
This service allows sftp connections only.
Connection to 192.168.1.150 closed.

Then, use SFTP to access the remote system.

# sftp tecmint@192.168.1.150

Output:

tecmint@192.168.1.150's password: 
Connected to 192.168.1.150.
sftp>

Let's check the current working directory:

sftp&gt pwd
Remote working directory: /

sftp&gt ls
tecmint

2. Restrict users to specific directories

In the previous example, we restricted existing users to the primary directory. Now we'll see how to restrict new users to custom directories.

2.1 creating groups and new users

Create a new group sftpgroup.

#groupadd sftpgroup

Next, create a directory for the SFTP group and assign permissions to the root user.

#mkdir -p /sftpusers/chroot
#chown root:root /sftpusers/chroot/

Next, create new directories for each user who will have full access to these directories. For example, we will use the following series of commands to create a user with the correct group permissions and its new home directory.

# adduser tecmint -g sftpgroup -s /sbin/nologin
# passwd tecmint
# mkdir /sftpusers/chroot/tecmint
# chown tecmint:sftpgroup /sftpusers/chroot/tecmint/
# chmod 700 /sftpusers/chroot/tecmint/

2.2 configure SSH for SFTP access

Modify or add the following line at the end of the file:

#Subsystem  	sftp	/usr/libexec/openssh/sftp-server
Subsystem sftp  internal-sftp
 
Match Group sftpgroup
   ChrootDirectory /sftpusers/chroot/
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no

Save and exit the file. Restart the sshd service for the saved changes to take effect.

# systemctl restart sshd
OR
# service sshd restart

In this way, you can use the steps provided in "verifying SSH and SFTP login" above to log in to the remote SSH and SFTP server for inspection.

Note that this method disables shell access, which means you cannot use SSH to access shell sessions on remote systems. You can only access remote systems through SFTP and transfer files with local and remote systems.

3. Conclusion

Now you know how to use the Chroot environment in Linux to limit users' home directories. If you find this useful, please share this article on your social network and tell us in the comments section below whether there are other ways to limit users' home directories.

4. Reference

How to Restrict SFTP Users to Home Directories Using chroot Jail
Use chroot to restrict SSH users from accessing the specified directory

Tags: Linux Operation & Maintenance ssh

Posted by wih on Thu, 19 May 2022 14:27:23 +0300

Hot Tags

Java Python Javascript Algorithm Front-end Linux C++ data structure Spring Back-end Spring Boot MySQL Database C Android Design Pattern Vue Vue.js Docker leetcode Go programming language Big Data Machine Learning Deep Learning Operation & Maintenance Redis Interview Programming AI Kubernetes html SQL C# css
©2023 Algorithm Zone