SFTP-Chroots

Yet another little reminder for me on how do to chroots in sftp (so an user does not see /bin, /home, and other internals/user directories – say in webhosting):

In my example, my users should get a direcotry in /srv/sftp/.

Create a new group, I'll call it sftponly:

groupadd sftponly

Create 2 users, "alice" and "bob", if you haven't already created them (Note, that we give them no shell access here, by setting their shell to /bin/false):

useradd -s /bin/false alice
useradd -s /bin/false bob

Set their passwords:

passwd alice
passwd bob

Add them to the sftponly group (you could have done this while creating them as well):

usermod alice -A sftponly
usermod bob -A sftponly

Create folders for alice and bob:

cd /srv/sftp

mkdir /srv/sftp/alice
chown alice /srv/sftp/alice
chmod 700 /srv/sftp/alice

mkdir /srv/sftp/bob
chown bob /srv/sfpt/bob
chmod 700 /srv/sftp/bob

Set ownership of /srv/sftp/ to root:sftponly with rwxr-x-- permissions, this is necessary for this to work, otherwise something like this will pop up in your syslog: fatal: bad ownership or modes for chroot directory "/srv/sftp":

chown root:sftponly /srv/sftp
chmod 750 /srv/sftp

Prepare /etc/ssh/sshd_config:

#Subsystem      sftp    /usr/lib64/ssh/sftp-server
Subsystem       sftp    internal-sftp

Match Group sftponly
    ForceCommand internal-sftp
    ChrootDirectory /srv/sftp
    X11Forwarding no
    AllowTcpForwarding no

Restart the ssh-server:

systemctl restart sshd.service

And that's it. If alice or bob log in now, they should only see two directories, alice and bob, and nothing else.