In newer releases of OpenSSH it’s almost as easy as ProFTPD’s
to restrict a user to the home folder. You no longer need to setup a full
chroot environment including copies/links to essential libraries etc.
In Debian/Ubuntu just apply some changes:
- Create a group (e.g. by
addgroup restricted), that will contain the users subject to restricted sftp configuration defined later.
- Change/Add the following line for the sftp protocol in
Subsystem sftp internal-sftp
- Finally add a section to the end of
/etc/ssh/sshd_configthat matches the dedicated group and configures restricted sftp access:
Match group restricted ChrootDirectory %h X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
The permissions on the home folder path are critical, don’t grant to
much permissions to other (non-root) users and watch out for corresponding
/var/log/auth.log, if sftp does not work as expected.