How to configure chrooted users with SFTP-only access.

Environment

• Red Hat Enterprise Linux

Issue

• Learn how to set up chrooted users with SFTP-only access, using SSH keys.

Resolution

Create a chroot sftp user.

Raw

# useradd testuser

Create an sftp group.

Raw

# groupadd sftpusers

Add the chroot user to the sftp group.

Raw

# usermod -aG sftpusers testuser

Make a root directory for the chroot users.

Raw

# mkdir /sftp

Create the user's chroot directory.

Raw

# mkdir /sftp/testuser

Configure the correct permissions and ownership for the chroot directory.

Raw

# chown testuser:testuser /sftp/testuser
# chmod 700 /sftp/testuser

Ensure that the user is able to access the directory:

Raw

# sudo -u testuser ls /sftp/testuser

If it fails, add the explore permission for others for all directories until HOME:

Raw

chmod o+x /sftp/

Create an .ssh directory with an authorized_keys file in the user's /home/directory.

Raw

# mkdir /home/testuser/.ssh
# touch /home/testuser/.ssh/authorized_keys
# chmod 700 /home/testuser/.ssh
# chmod 600 /home/testuser/.ssh/authorized_keys

Copy and paste the contents of the .ssh/id_rsa.pub file from the client into the authorized_keys file that you just created.

Configure the correct ownership of the .ssh directory and the authorized_keys file.

Raw

# chown testuser:testuser /home/testuser/.ssh
# chown testuser:testuser /home/testuser/.ssh/authorized_keys

Change the Subsystem line in the /etc/ssh/sshd_config file.

Raw

Subsystem   sftp    internal-sftp

Add a Match block at the end of the /etc/ssh/sshd_config file.

Raw

Match Group sftpusers
ChrootDirectory /sftp/
ForceCommand internal-sftp -d /%u

Restart the sshd service.

Red Hat Enterprise Linux 6

Raw

# service sshd restart

Red Hat Enterprise Linux 7 or newer

Raw

# systemctl restart sshd