Chroot SFTP users to their home directory on OpenSSH server

OpenSSH server comes with a pretty neat builtin SFTP subsystem. It allows you to use SFTP out of the box but it also provides some more advanced features. One commonly used feature is restrict an SFTP user to access only one directory and not see the entire server filesystem, or also known as chrooting (from changing the root of the filesystem tree).

To chroot an user in OpenSSH server you must edit the /etc/ssh/sshd_config file, by adding the following lines:

Match User sftp01
PasswordAuthentication yes
ChrootDirectory /home/%u
AllowTcpForwarding no
ForceCommand internal-sftp
X11Forwarding no

In this case we are chrooting only the sftp01 user as selected by the Match User sftp01 but you can also use Match Group sftp_users or any group name to match a group of users.

An important requirement is that the chroot directory (in our case the home directory of the user) must be owned by the root user.

Leave a Reply

Your email address will not be published. Required fields are marked *