Chrooting Users with SFTP

Prerequisite : OpenSSH 4.9p1 or newer is required, you can verify with the following command :

Note : User can be added with /bin/false or /bin/bash if you want to allow shell access , for shell access refer to the bottom section as well.

rpm -qa | grep -i openssh

Match User username

ChrootDirectory /hoome/%u ForceCommand internal-sftp AllowTCPForwarding no X11Forwarding no

For Group :

Match Group sftp

  ChrootDirectory %h

ForceCommand internal-sftp AllowTCPForwarding no X11Forwarding no

Variables You can use :

%u : Username
%h : Home Directory

Fix the permissions , so that they have only access to writable directory :

chown root /home/username chmod go-w /home/username

mkdir /home/username/writeableDir chown username:group/home/username/writeableDir chmod ug+rwX /home/username/writeableDir

For Shell Access :

mkdir /chroot
cd /chroot
mkdir {bin,dev,lib}
mkdir -p /chroot/home/joe
cp -p /bin/bash bin/
cp -p /lib/{ld-linux.so.2,libc.so.6,libdl.so.2,libtermcap.so.2} lib/
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod 0666 dev/{null,zero}

You may also like...