Difference between revisions of "SFTP chroot"

From ArchWiki
Jump to: navigation, search
(How-To for configuring OpenSSH SFTP chroot)
m (TCP Forwarding should normally not be allowed for group "sftpusers" (SECURITY))
Line 18: Line 18:
     ChrootDirectory %h
     ChrootDirectory %h
     ForceCommand internal-sftp
     ForceCommand internal-sftp
    AllowTcpForwarding no
Or for a user:
Or for a user:

Revision as of 13:06, 10 June 2009


OpenSSH 4.9+ includes a built-in chroot for sftp, but requires a few tweaks to the normal install.


This package is available in the core repository. To install it, run

# pacman -S openssh


In /etc/ssh/sshd_config, modify the Subsystem line for sftp:

 Subsystem       sftp    internal-sftp

At the end of the file, add something similar to the following for a group:

 Match Group sftpusers
   ChrootDirectory %h
   ForceCommand internal-sftp
   AllowTcpForwarding no

Or for a user:

 Match User username
   ChrootDirectory %h
   ForceCommand internal-sftp

The %h represents the users home directory.

Restart sshd:

# /etc/rc.d/sshd restart

Adding new chrooted users

If using the group method above, ensure all sftp users are put in the appropriate group, i.e.:

 usermod -g sftpusers

Also, set their shell to /bin/false to prevent a normal ssh login:

 usermod -s /bin/false

Note that since this is only for sftp, a proper chroot environment with a shell and /dev/* doesn't need to be created.

Their chroot will be the same as their home directory. The permissions are not the same as a normal home, though. Their home directory must be owned as root and not writable by another user or group. This includes the path leading to the directory. My recommendation is to use /usr/local/chroot as a root and build the home directories under that.

Testing your chroot

# ssh username@localhost

should refuse the connection or fail on login. The response varies, possibly due to the version of OpenSSH used.

# sftp username@localhost

should place you in the chroot'd environment. If not, ensure that your /etc/hosts.allow file contains the following line or one similar to allow ssh connections:

sshd: ALL

Links & References