Configure SFTP Chroot at Ubuntu 14.04

This article covers setting up an sftp server and isolating users in their home directories (chroot) based on Linux Ubuntu 14.04.

Sftp is a protocol for exchanging files over a secure network connection. Chroot is an isolated environment.

First, let’s create a group with users:

groupadd sftpusers

Since sftp is a subsystem of ssh so it’s settings are located in the sshd_config file. It needs to be edited:

vim /etc/ssh/sshd_config

Find and comment-out the line:

#Subsystem sftp /usr/lib/openssh/sftp-server

Add a line right below it:

Subsystem sftp internal-sftp

Add the following to the end of the document:

Match Group sftpusers
        X11Forwarding no
        AllowTcpForwarding no
        ChrootDirectory %h
        ForceCommand internal-sftp
        PasswordAuthentication yes

Restart the ssh daemon for the changes to take effect:

initctl restart ssh

Now you can create a user:

useradd -g sftpusers -d /home/**username** -m -s /bin/false **username**

Actually, the /bin/false shell is missing from /etc/shells but that doesn’t cause problems with sftp login. You can addd it if you want but it will not change much:

echo `/bin/false` >> /etc/shells

An important step is to change the owner of the user’s folder. Users cannot write to their home directories:

chown root:root /home/**username**

If you need to create a folder with write access:

mkdir /home/**username**/upload
chown **username**:sftpusers /home/**username**/upload