Setup Chroot SFTP in Ubuntu Linux

Chroot keeps the user in his login / home directory when logging in. This is not default behavior. In the default setup of SFTP you can CD anywhere on the system!

1. Create a new group

groupadd sftpusers

2. Create users who want to SFTP

useradd -g sftpusers -s /usr/sbin/nologin guestuser
passwd guestuser

3. Modify the the /etc/ssh/sshd_config file and comment out the following line:

Subsystem sftp /usr/libexec/openssh/sftp-server

4. Add the following line directly below the line you have commented out:

Subsystem sftp internal-sftp

5. Add the following lines at the end of /etc/ssh/sshd_config:

Match Group sftpusers
        ChrootDirectory /var/www/%u
        ForceCommand internal-sftp

6. Users start in the /var/www directory; this directory should be owned by root (see below) with chmod 755:

ll -ld /var/www
drwxr-xr-x 11 root root 4096 jun 30 13:39 /var/www/

7. Create a new directory with the same name as the username you just added:

mkdir /var/www/guestuser

8. Make sure that this new directory is also owned by root (see below):

ll -ld /var/www/guestuser
drwxr-xr-x 3 root www-data 4096 aug 14 18:18 /var/www/guestuser

10. Create a subfolder below /var/www/guestuser for example www and set user ownership to guestuser and groupowner ship to www-data. Set access right two 2755 ( 2=set group id, 7=rwx for owner (guestuser), 5=rx for group (www-data), 5=rx for world (including apache www-data user):

ll -ld /var/www/guestuser
drwxr-sr-x 2 guestuser www-data 4096 okt  1 17:02 /var/www/guestuser/www/

9. Restart the ssh server:

service sshd restart

If the directories have not the correct ownership a message will appear in /var/log/auth.log:

Aug 14 18:18:29 hostname sshd[24996]: fatal: bad ownership or modes for chroot directory "/var/www/guestuser"

 

Share

Leave a Reply

Your email address will not be published.