Tutorial News Comments FAQ Related Articles

How To Restrict SFTP Users Home Directories in Linux

{{postValue.id}}

To Restrict SFTP Users Home Directories in Linux

Restricting Users Home directories is important, especially in a shared server environment. So the unauthorized user cannot access the other user’ s files. The various steps to Restrict SFTP Users Home Directories Using chroot Jail is explained in this article.


1. Restricting SFTP Users to Home Directories


To Create or Modify Users and Groups

Restrict the existing user to home directory and create a new group by using the groupadd command as shown below.

[root@linuxhelp ~]# groupadd group1

Now you need to assign the existing user to “ group1” group.

[root@linuxhelp ~]# usermod -G group1 user1

Modifying the SSH Configuration File

Open " /etc/ssh/sshd_config" file and mention the directory to be blocked in chrootdirectory column.

[root@linuxhelp ~]# vim /etc/ssh/sshd_config

Append the following lines.

Subsystem sftp internal-sftp
   Match Group group1
   ChrootDirectory /home
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no

Save and quit the file.

Restart sshd service to bring new changes into effect.

[root@linuxhelp ~]# systemctl restart sshd
OR
[root@linuxhelp ~]# service sshd restart

Modify the permission of " user 1" to block the access from other users.

[root@linuxhelp ~]# chmod 700 /home/user1

Checking SSH and SFTP Users Login

Verify the login from a local host and try to login with ssh in remote host.

[root@linuxhelp ~]# ssh user1@192.168.5.88
user1@192.168.5.88' s password:
Could not chdir to home directory /home/user1: No such file or directory
This service allows sftp connections only.
Connection to 192.168.5.88 closed.

You cannot login to the remote host via ssh connection. Try logging with SFTP.

[root@linuxhelp ~]# sftp user1@192.168.5.88
user1@192.168.5.88' s password:
Connected to 192.168.5.88.
sftp>

Verify the current working directory.

sftp>  pwd
Remote working directory: /
sftp>  ls
user1

Move to user1 directory and now you have access to create files or folders. If you try to access any other directories, error occurs.

sftp>  cd user1
sftp>  cd /root
Couldn' t canonicalise: No such file or directory


2. Restricting SFTP Users to a Specific Directory

In ssh configuration file, change the " ChrootDirectory" to any other directory that you want to restrict. Here, we are restricting /project/files.

[root@linuxhelp ~]# vim /etc/ssh/sshd_config
Match Group group1
   ChrootDirectory /project/files
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no

Create the directory, as we mentioned in the ssh configuration file.

[root@linuxhelp ~]# mkdir -p /project/files

Now restart sshd service to bring the changes into effect.

[root@linuxhelp ~]# systemctl restart sshd
OR
[root@linuxhelp ~]# service sshd restart

Tags:
Author: 

Comments ( 1 )

d4niel
when doing "ChrootDirectory /project/files", I get “Connection to [host] closed by remote host” and can no longer connect.
Add a comment
{{postCtrl.cmtErrMsg}}

Frequently asked questions ( 5 )

Q

How to restrict multiple users to their own home directories

A

Change the /home to whichever directory you need the user should restricted to. Eg: ChrootDirectory /home/

Q

rsync error: protocol incompatibility (code 2) at /SourceCache/rsync/rsync-42/rsync/compat.c(61) [receiver=2.6.9] Any ideas? Thanks

A

I think its due to different versions of rsync installed on servers, make sure you have same version of rsync or may be different flavors of Linux distros used here, you need to check..

Q

Thanks for the article. I’m learning about SFTP now and was curious and wanted to know how to CHROOT its users from Centos 7.

A

You’re better of creating a SFTP root as /home/sftproot and then putting your SFTP users home directories under /home/sftproot/home. Then when that user logs in they’ll automatically get put

Q

is there any sftp command to use encrytion

A

follow this link : https://www.linuxhelp.com/sftp-command-transfer-encrypted-files/

Q

I meant I can not reach my odoo server locally anymore?

A

If you remove the 127.0.0.1 part and restart the server you will be able to run it locally on port 8069.

Back To Top!