Question

29

How to set up a SFTP server with users chrooted in their home directories?

rated 0 times [ 29] [ 0] / answers: 1 / hits: 137740 / 1 Year ago, tue, may 2, 2023, 2:06:33

I have been trying to set up a SFTP server with multiple users chrooting into their home directories. I followed the advice on this guide (Archive.org link) and then executed the following commands on the user's directories

chown root:root /home/user/

chmod 755 /home/user/

There is an additional folder in every user's home directory called public, which is owned by its user so as to allow them to create directories and upload and remove files as needed. (This was advised in the guide I mentioned earlier)

Now when I execute sftp -P 435 user@localhost, I get this error:

Write failed: Broken pipe

Couldn't read packet: Connection reset by peer

How do I proceed from here? The ultimate idea is to have each user on some other machine use FileZilla to log into their chrooted home directories and then be able to upload directories and files. All this in SFTP (because it's more secure)

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

pilun

Add To Favorites

Follow

Total Points: 270

Total Questions: 100

Total Answers: 94

Location: England

Member since Sat, Feb 13, 2021

3 Years ago

answered 1 Year ago needstar · Accepted Answer

That article also describes how to get a chrooted shell access, but since you just want a sftp-only account, just follow these instructions:

Edit /etc/ssh/sshd_config and add the lines:

SubSystem sftp internal-sftp

Match Group sftp

ChrootDirectory %h

ForceCommand internal-sftp

AllowTcpForwarding no

Find the line UsePAM yes and comment it:

#UsePAM yes

Without disabling this, my SSH server would crash on reloading/ restarting. Since I do not need fancy functions of PAM, this is fine.

For extra security, restrict the users who can login. If you forget to add SFTP users to the sftp group, you give them free shell access. Not a nice scenario. Because SSH cannot combine AllowUsers and AllowGroups (a login has to fulfill both rules), you've to create an additional group, say ssh-users. Add the users who are allowed to login (youruser below) over SSH:

sudo groupadd ssh-users

sudo gpasswd -a youruser ssh-users

And add the next line to /etc/ssh/sshd_config:

AllowGroups ssh-users sftp

Now proceed with modifying the permissions of the users home directory to allow for chrooting (example user sftp-user):

sudo chown root:sftp-user /home/sftp-user

sudo chmod 750 /home/sftp-user

Create a directory in which sftp-user is free to put any files in it:

sudo mkdir /home/sftp-user/public

sudo chown sftp-user: /home/sftp-user/public

sudo chmod 750 /home/sftp-user/public

Should you run in any problems, check /var/log/syslog and /var/log/auth.log for details. Run ssh or sftp with the -vvv option for debugging messages. For sftp, the option must appear before the host as in sftp -vvv user@host.