SFTP using ChrootDirectory

In newer releases of OpenSSH it’s almost as easy as ProFTPD’s DefaultRoot to restrict a user to the home folder. You no longer need to setup a full chroot environment including copies/links to essential libraries etc.

In Debian/Ubuntu just apply some changes:

  • Create a group (e.g. by addgroup restricted), that will contain the users subject to restricted sftp configuration defined later.
  • Change/Add the following line for the sftp protocol in /etc/ssh/sshd_config: Subsystem sftp internal-sftp
  • Finally add a section to the end of /etc/ssh/sshd_config that matches the dedicated group and configures restricted sftp access:
Match group restricted
  ChrootDirectory %h
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp

The permissions on the home folder path are critical, don’t grant to much permissions to other (non-root) users and watch out for corresponding messages in /var/log/auth.log, if sftp does not work as expected.