Setting up chroot for SFTP

Jason Wright jasonwright365 at
Wed Jun 27 17:34:11 MDT 2012

On Wed, Jun 27, 2012 at 7:27 AM, James Noble <noblejames at> wrote:

> I need to setup SFTP and have the new users be locked into their own
> directory.

I've setup openssh for an sftp chroot jail with openssh. It was a little
tricky for me.

If you have a version that supports the "ChrootDirectory" configuration
option, setup is simple. (just google "chroot openssh")

The problems I've found are that configuration information is read from
your directory before you are chrooted. This creates a problem:
 1)your .profile script is ran _before_ the user is chroot'd. If your users
can edit the .profile script, this negates the purpose of a chroot
2)users can create a .ssh directory with setup for their own parameters
(possible opening up lesser known holes)
3)ssh configuration might be useful, (think public key authentication) but
letting users configure their .ssh directories sounds a little iffy.

Getting around these shortcomings is complicated.

You can chown all the appropriate config files  and give world read-execute

My hack is a little more complicated, but more secure.
1)create a directory chroot directory i.e /home/chroot/
2)put 3 folders inside with the user's  permissions for them.
3)chroot the directories appropriately
4) create the user and set the home directory to /home/user1
5)add the user to the sftpusers group

in your /etc/ssh/sshd_config

Match   Group sftpusers
        ChrootDirectory /home/chroot/%u
        ForceCommand internal-sftp
        PasswordAuthentication yes

Oh, and if you don't want them to have ssh access, change the shell in
/etc/passwd to /bin/false

Basically, this tightens the hatches and lets administrators change
configuration files, add openssh public key authentication if needed and
denies users the ability to even see their configuration files. It also
lets your sftp application find the right home directory in your chroot
environment-- You gotta make it look smooth to your users :)

I hope this helps you run a tight ship!

More information about the PLUG mailing list