How To Restrict SFTP Users Home Directories in Linux
To Restrict SFTP Users Home Directories in Linux
Restricting Users Home directories is important, especially in a shared server environment. So the unauthorized user cannot access the other user’ s files. The various steps to Restrict SFTP Users Home Directories Using chroot Jail is explained in this article.
1. Restricting SFTP Users to Home Directories
To Create or Modify Users and Groups
Restrict the existing user to home directory and create a new group by using the groupadd command as shown below.
[root@linuxhelp ~]# groupadd group1
Now you need to assign the existing user to “ group1” group.
[root@linuxhelp ~]# usermod -G group1 user1
Modifying the SSH Configuration File
Open " /etc/ssh/sshd_config" file and mention the directory to be blocked in chrootdirectory column.
[root@linuxhelp ~]# vim /etc/ssh/sshd_config
Append the following lines.
Subsystem sftp internal-sftp Match Group group1 ChrootDirectory /home ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no
Save and quit the file.
Restart sshd service to bring new changes into effect.
[root@linuxhelp ~]# systemctl restart sshd OR [root@linuxhelp ~]# service sshd restart
Modify the permission of " user 1" to block the access from other users.
[root@linuxhelp ~]# chmod 700 /home/user1
Checking SSH and SFTP Users Login
Verify the login from a local host and try to login with ssh in remote host.
[root@linuxhelp ~]# ssh user1@192.168.5.88
user1@192.168.5.88' s password:
Could not chdir to home directory /home/user1: No such file or directory
This service allows sftp connections only.
Connection to 192.168.5.88 closed.
You cannot login to the remote host via ssh connection. Try logging with SFTP.
[root@linuxhelp ~]# sftp user1@192.168.5.88 user1@192.168.5.88' s password: Connected to 192.168.5.88. sftp>
Verify the current working directory.
sftp> pwd Remote working directory: / sftp> ls user1
Move to user1 directory and now you have access to create files or folders. If you try to access any other directories, error occurs.
sftp> cd user1 sftp> cd /root Couldn' t canonicalise: No such file or directory
2. Restricting SFTP Users to a Specific Directory
In ssh configuration file, change the " ChrootDirectory" to any other directory that you want to restrict. Here, we are restricting /project/files.
[root@linuxhelp ~]# vim /etc/ssh/sshd_config
Match Group group1
ChrootDirectory /project/files
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
Create the directory, as we mentioned in the ssh configuration file.
[root@linuxhelp ~]# mkdir -p /project/files
Now restart sshd service to bring the changes into effect.
[root@linuxhelp ~]# systemctl restart sshd OR [root@linuxhelp ~]# service sshd restart
Comments ( 1 )