Monday, September 12, 2011

How to chroot SFTP (Secure File Transfer)

SFTP (SSH File Transfer Protocol) is a network protocol that provides file transfer functionality over reliable data stream. It has nothing related with old ftp protocol however it treated as a secure replacement. Here we are going to achieve the following:
  1. Service root directory: /srv/sftp
  2. Each user must have isolated sftp location, e.g. /srv/sftp/user1
  3. User top level directory include directories: files, archive
  4. User session is chrooted
  5. User is limited to sftp only, no shell, no ssh access
If you have ssh installed, you have sftp. Just in case:
apt-get -y install ssh

SSH Configuration for SFTP

You need to ensure the sftp subsystem is enabled in ssh. We are going to use internal-sftp implementation, that is in-process ssh subsystem (file /etc/ssh/sshd_config):
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Let use sftp group to identify users for sftp. Here is a matching rule for ssh, add it at the end of /etc/ssh/sshd_config file:
Match group sftp
    ChrootDirectory /srv/sftp/%u
    X11Forwarding no
    AllowTcpForwarding no
    MaxAuthTries 2
    ForceCommand internal-sftp
Restart ssh so the changes take place:
/etc/init.d/ssh restart


Let create a security group for our sftp users:
groupadd sftp
Here is a script that does the rest (file


genpasswd() {
    local l=$1
    [ "$l" == "" ] && l=20
    tr -dc A-Za-z0-9_ < /dev/urandom \
        | head -c ${l} | xargs

if [ -z $1 ]; then 
    echo "Usage $0 username"
    exit 1

# 1. User is created with home directory set to /, 
# this is the directory sftp change once chroot.
# 2. User added to group sftp.
# 3. Do not create home directory.
# 4. User has no shell, ssh login impossible.
useradd -d / -G sftp -M -s /bin/false $1

echo "Auto generated password:"
passwd $1

mkdir -p $sftproot/$1/{files,archive}
# Chroot directory must be owned by root
chown root:$1 $sftproot/$1 
# User has read-only access
chmod -R 750 $sftproot/$1
# User owns everything below chroot directory
chown $1:$1 $sftproot/$1/*
Just invoke it this way:
./ user1
Now you should be able use sftp.


  1. Thanks for this useful post. Just one thing:

    # Chroot directory must be owned by root
    chown root:$1 $1/

    should be

    # Chroot directory must be owned by root
    chown root:$1 $sftproot/$1/

  2. Fabrice, thank you for the comment. Let me clarify few things from post:
    1. The sftp directory is owned by root.
    2. User has read-only access.
    3. User owns everything below chroot directory (not directory itself).