Lock SFTP Users to Their Home Directory
The solution to the age old problem of locking SFTP users into their home directory is setting up a chroot environment. This normally requires that you copy the necessary binaries and libraries so that your jailed users can make use of the allowed tools for file transfer.
As of OpenSSH 4.9p1, things have gotten a bit easier. OpenSSH has two features that make the task of locking users into their home directories a piece of cake. They are:
- A built in SFTP subsystem.
With a built in SFTP subsystem, you no longer need binaries and the required libraries to provide the services necessary in a chroot environment. OpenSSH provides an internal SFTP subsystem.
- The Match keyword.
This allows you to target specific users or groups in the sshd_config file and specify settings particular to them, like a chroot option and ForceCommand internal-sftp.
Getting it working is simple.
- Add a group called sftponly and add the users who you’d like to lock into their home directories to that group.
- Edit your sshd_config file (/etc/ssh/sshd_config if you’re on FreeBSD) and add the following to the bottom:
Match Group sftponly X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp ChrootDirectory %h
- That’s it, HUP sshd (/etc/rc.d/sshd restart if you’re running FreeBSD) and test it out.