Header Shadow Image

Chrooted SFTP

\In this post we will create a chrooted SFTP login for guest accounts on our Linux distribution.  

  • Locate your sftp-server binary:

    # locate sftp-server

  • Use the result of the above to add this line to your /etc/ssh/sshd_config file (Check if this line does not exist already).  Note, internal-sftp will point to the above sftp-server on login:

Subsystem       sftp    internal-sftp

  • Add the following line to the end of the file.  First one is for group users and second is for the sftpuser.  For this exercise you can choose one or the other:

    Match Group users
        ChrootDirectory /home
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand /usr/libexec/openssh/sftp-server

    Match User sftpuser
        ChrootDirectory /home
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand /usr/libexec/openssh/sftp-server

  • Ensure the sftpuser .ssh folder exists ( Or you will not be able to login since file /home/sftpuser/.ssh/authorized_keys will not be writable )
  • Add the sftpuser and associate them with users group:

    # useradd sftpuser
    # usermod -G users sftpuser
    # id sftpuser
    uid=508(sftpuser) gid=508(sftpuser) groups=508(sftpuser),100(users)

  • Ensure the chrooted folder is owned by root.root ( chown root.root /home/sftpuser for example. )
  • Issue /etc/init.d/sshd restart of service sshd restart.
  • Test the configuration:

Problems encountered:

# ssh sftpuser@
FIPS integrity verification test failed.
sftpuser@'s password:
Write failed: Broken pipe

the chrooted folder is not owned by root.  In case there are problems, also try to run sshd in debug mode to see about the causes: /sbin/sshd -p 2222 -D -ddd -e then use sftp -oPort=2222 sftpuser@ to test connect there .

An example of a typical issue you can see is:

debug1: Could not open authorized keys '/home/sftpuser/.ssh/authorized_keys': Permission denied

Simply create the folder above to allow for population of the authorized_keys file.  Another error that can be seen is:

debug1: subsystem: cannot stat /usr/lib/openssh/sftp-server: Permission denied

Try to use one of the following (first one worked fine) instead:

Subsystem       sftp    internal-sftp
# Subsystem     sftp    sftp-server
# Subsystem     sftp    /usr/libexec/openssh/sftp-server
# Subsystem     sftp    /usr/libexec/openssh/internal-sftp


Have Fun!


Leave a Reply

You must be logged in to post a comment.

  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License