Tutorial Comments FAQ Related Articles

How To Restrict SFTP Users Home Directories in Linux

1010

To Restrict SFTP Users Home Directories in Linux

Restricting Users Home directories is important, especially in a shared server environment. So the unauthorized user cannot access the other user’ s files. The various steps to Restrict SFTP Users Home Directories Using chroot Jail is explained in this article.


1. Restricting SFTP Users to Home Directories


To Create or Modify Users and Groups

Restrict the existing user to home directory and create a new group by using the groupadd command as shown below.

[root@linuxhelp ~]# groupadd group1

Now you need to assign the existing user to “ group1” group.

[root@linuxhelp ~]# usermod -G group1 user1

Modifying the SSH Configuration File

Open " /etc/ssh/sshd_config" file and mention the directory to be blocked in chrootdirectory column.

[root@linuxhelp ~]# vim /etc/ssh/sshd_config

Append the following lines.

Subsystem sftp internal-sftp
   Match Group group1
   ChrootDirectory /home
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no

Save and quit the file.

Restart sshd service to bring new changes into effect.

[root@linuxhelp ~]# systemctl restart sshd
OR
[root@linuxhelp ~]# service sshd restart

Modify the permission of " user 1" to block the access from other users.

[root@linuxhelp ~]# chmod 700 /home/user1

Checking SSH and SFTP Users Login

Verify the login from a local host and try to login with ssh in remote host.

[root@linuxhelp ~]# ssh user1@192.168.5.88
user1@192.168.5.88' s password:
Could not chdir to home directory /home/user1: No such file or directory
This service allows sftp connections only.
Connection to 192.168.5.88 closed.

You cannot login to the remote host via ssh connection. Try logging with SFTP.

[root@linuxhelp ~]# sftp user1@192.168.5.88
user1@192.168.5.88' s password:
Connected to 192.168.5.88.
sftp>

Verify the current working directory.

sftp>  pwd
Remote working directory: /
sftp>  ls
user1

Move to user1 directory and now you have access to create files or folders. If you try to access any other directories, error occurs.

sftp>  cd user1
sftp>  cd /root
Couldn' t canonicalise: No such file or directory


2. Restricting SFTP Users to a Specific Directory

In ssh configuration file, change the " ChrootDirectory" to any other directory that you want to restrict. Here, we are restricting /project/files.

[root@linuxhelp ~]# vim /etc/ssh/sshd_config
Match Group group1
   ChrootDirectory /project/files
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no

Create the directory, as we mentioned in the ssh configuration file.

[root@linuxhelp ~]# mkdir -p /project/files

Now restart sshd service to bring the changes into effect.

[root@linuxhelp ~]# systemctl restart sshd
OR
[root@linuxhelp ~]# service sshd restart

Tags:
Author: 

Comments ( 1 )

d4niel
when doing "ChrootDirectory /project/files", I get “Connection to [host] closed by remote host” and can no longer connect.
Add a comment

Frequently asked questions ( 5 )

Q

How to restrict multiple users to their own home directories

A

Change the /home to whichever directory you need the user should restricted to. Eg: ChrootDirectory /home/

Q

rsync error: protocol incompatibility (code 2) at /SourceCache/rsync/rsync-42/rsync/compat.c(61) [receiver=2.6.9] Any ideas? Thanks

A

I think its due to different versions of rsync installed on servers, make sure you have same version of rsync or may be different flavors of Linux distros used here, you need to check..

Q

Thanks for the article. I’m learning about SFTP now and was curious and wanted to know how to CHROOT its users from Centos 7.

A

You’re better of creating a SFTP root as /home/sftproot and then putting your SFTP users home directories under /home/sftproot/home. Then when that user logs in they’ll automatically get put

Q

is there any sftp command to use encrytion

A

follow this link : https://www.linuxhelp.com/sftp-command-transfer-encrypted-files/

Q

I meant I can not reach my odoo server locally anymore?

A

If you remove the 127.0.0.1 part and restart the server you will be able to run it locally on port 8069.

Related Tutorials in How To Restrict SFTP Users Home Directories in Linux

Related Tutorials in How To Restrict SFTP Users Home Directories in Linux

How to Install FileZilla in Debian
How to Install FileZilla in Debian
Nov 29, 2016
How To Restrict SFTP Users Home Directories in Linux
How To Restrict SFTP Users Home Directories in Linux
Jun 4, 2016
How To Set Email Alerts for SSH Root Login In Linux
How To Set Email Alerts for SSH Root Login In Linux
Jun 22, 2016
How to add SSH key to a GitLab account
How to add SSH key to a GitLab account
Apr 22, 2017
How to block SSH access for client host
How to block SSH access for client host
Feb 13, 2017
How to remove user accounts with home directory in Linux
How to remove user accounts with home directory in Linux
Mar 25, 2016
SSH Command in Linux with Examples
SSH Command in Linux with Examples
Mar 22, 2016
How to set up an SFTP server on Debian 11.3
How to set up an SFTP server on Debian 11.3
Jan 2, 2023

Related Forums in How To Restrict SFTP Users Home Directories in Linux

Related Forums in How To Restrict SFTP Users Home Directories in Linux

Ubuntu
matthew class=
Failed to enable unit: Refusing to operate on linked unit file sshd.service
Apr 15, 2019
Linux
markdjokovic class=
Sftp error code 255
Apr 12, 2021
SSH
isaac class=
How to block ssh port in iptables
Aug 29, 2017
OpenSSH
caden class=
Warning Remote Host Identification Has Changed!
Feb 6, 2017
Ubuntu
keshavadk class=
FTP and SFTP server using Python
Apr 21, 2020
SSHD
caden class=
Permission denied (publickey,password)
Apr 15, 2019
CentOS
philippe class=
Cannot start sshd service
Feb 15, 2018
SSH
carter class=
how to use nautilus in ssh server
May 27, 2017
Back To Top!