How to set up a SFTP server with users chrooted in their home directories?
Solution 1
That article also describes how to get a chrooted shell access, but since you just want a sftp-only account, just follow these instructions:
Edit /etc/ssh/sshd_config
and add the lines:
SubSystem sftp internal-sftp
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
Find the line UsePAM yes
and comment it:
#UsePAM yes
Without disabling this, my SSH server would crash on reloading/ restarting. Since I do not need fancy functions of PAM, this is fine.
For extra security, restrict the users who can login. If you forget to add SFTP users to the sftp
group, you give them free shell access. Not a nice scenario. Because SSH cannot combine AllowUsers
and AllowGroups
(a login has to fulfill both rules), you've to create an additional group, say ssh-users
. Add the users who are allowed to login (youruser
below) over SSH:
sudo groupadd ssh-users
sudo gpasswd -a youruser ssh-users
And add the next line to /etc/ssh/sshd_config
:
AllowGroups ssh-users sftp
Now proceed with modifying the permissions of the users home directory to allow for chrooting (example user sftp-user
):
sudo chown root:sftp-user /home/sftp-user
sudo chmod 750 /home/sftp-user
Create a directory in which sftp-user
is free to put any files in it:
sudo mkdir /home/sftp-user/public
sudo chown sftp-user: /home/sftp-user/public
sudo chmod 750 /home/sftp-user/public
Should you run in any problems, check /var/log/syslog
and /var/log/auth.log
for details. Run ssh
or sftp
with the -vvv
option for debugging messages. For sftp
, the option must appear before the host as in sftp -vvv user@host
.
Solution 2
Just wanted to add that folder permissions up the directory tree need to be set a certain way.
sshd's strict ownership/permissions requirements dictate that every directory in the chroot path must be owned by root and only writable by the owner.
I was having a very similar error, and fixing my directory permissions fixed the issue for me.
Solution 3
I'm using Ubuntu LTS 12.04 and after a lot of pain, this worked for me.
My Settings for /etc/ssh/sshd_config
Subsystem sftp internal-sftp -f AUTH -l VERBOSE
UsePAM yes
Match group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
-
create group sftp:
groupadd sftp
-
Create user directly with new sftp group attached:
sudo useradd -d /ftpusers/HomeFolder -m UserName -g sftp -s /bin/false
-
set permissions for use with ssh for sftp:
chown root:root HomeFolder
chmod 755 HomeFolder
-
restart service:
service ssh restart
Note, the home folder for the new sftp user has to be given root owner.
Solution 4
Here is a step by step guide to allow:
- SFTP access to /home/bob/uploads for user bob
- Lock bob out of SSH
- Use username/passwords rather than keys:
First, edit your /etc/ssh/sshd_config file:
sudo nano /etc/ssh/sshd
Scroll down and modify:
PasswordAuthentication yes
and add this at the bottom:
Match Group sftpusers
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
Press Ctrl-X to exit and save.
Now add the user:
sudo useradd bob
sudo passwd bob
Now add the groups and disable ssh:
sudo groupadd sftpusers
sudo usermod -g sftpusers bob
sudo usermod -s /usr/bin/rssh bob
sudo usermod -d /home/bob bob
Now set permissions:
sudo chown root:root /home/bob/
sudo chmod 755 /home/bob/
sudo mkdir /home/bob/uploads
sudo chown bob /home/bob/uploads
sudo service sshd restart
All this is while logged in as a root user (ec2-user on Amazon Linux AMIs)
Nitin Venkatesh
Updated on September 18, 2022Comments
-
Nitin Venkatesh almost 2 years
I have been trying to set up a SFTP server with multiple users chrooting into their home directories. I followed the advice on this guide (Archive.org link) and then executed the following commands on the user's directories
chown root:root /home/user/ chmod 755 /home/user/
There is an additional folder in every user's home directory called
public
, which is owned by its user so as to allow them to create directories and upload and remove files as needed. (This was advised in the guide I mentioned earlier)Now when I execute
sftp -P 435 user@localhost
, I get this error:Write failed: Broken pipe
Couldn't read packet: Connection reset by peerHow do I proceed from here? The ultimate idea is to have each user on some other machine use FileZilla to log into their chrooted home directories and then be able to upload directories and files. All this in SFTP (because it's more secure)
-
Ash over 8 yearsThe link provided is broken are you able to update this?
-
Nitin Venkatesh over 8 years@ash : Updated with the Archive.org link
-
-
Max Masnick over 11 yearsThe directions here did not work for me, but following the directions in this question and the answer did: askubuntu.com/questions/134425/…
-
jnunn over 11 yearsyou need a step after step 2 for
sudo passwd UserName
in order to set the user's password -
Admin about 11 yearsI think #4 should read: service sshd restart
-
Lekensteyn over 10 yearsTo the anonymous editor: the Match block was not added just before the UsePAM line. Instead, the Match block was appended to the file and the UsePAM line was somewhere earlier.
-
jwbensley almost 10 yearsNo on 12.04 it is "ssh" not "sshd"
-
Peter Lozovitskiy over 8 yearsMake sure 'UseLogin yes' option presents in sshd_config file.
-
Deian over 8 yearssshd is for redhad linux
-
jamescampbell about 8 yearsThis was my issue. It worked for me by adding in specifics for the user I was adding:
Match User ftpusername
and thenChrootDirectory %h
and thenForceCommand internal-sftp
. I did not need to comment out UsePAM or make any other changes otherwise besides settingchown root /home/ftpusername
. Until I did the chown, I could not connect via sftp. -
Thamaraiselvam almost 8 years
PasswordAuthentication yes
is solution for me -
Simon Woodside about 7 yearsYou need to close the
Match Group
block by puttingMatch all
afterAllowTcpForwarding no
. Then you won't need to comment outUsePAM
and any lines that occur later.