SFTP Server with chroot Setup CentOS 6 / RHEL 6

SFTP provides a secure way for providing FTP access to clients. It comes built-in with the openssh-server package. Creating SFTP accounts is straightforward like normal user accounts. However if you want to limit the users to access their designated folder only, then a chroot setup is needed. This improves security in a way that sftp users cannot login to a normal bash shell and they cannot view system folders when they are logged-in. This tutorial will walk you though SFTP server setup.

Setup SFTP

Step:1 Create a group for the sftp users
[root@localhost ~]# groupadd sftp_users

Step:2 Assign the secondary group(sftp_users) to the user.
If the users doesn’t exist on system, use below command :
[root@localhost ~]# useradd -G sftp_users -s /sbin/nologin john
[root@localhost ~]# passwd john

For already existing users , use below usermod command :
[root@localhost ~]# usermod –G sftp_users -s /sbin/nologin john

Note : if you want to change the default home directory of users , then use ‘-d’ option in useradd and usermod command and set the correct permissions.

Step:3 Now edit the config file “/etc/ssh/sshd_config”
vi /etc/ssh/sshd_config

Comment out the below line
#Subsystem sftp /usr/libexec/openssh/sftp-server

And add the line below
Subsystem sftp internal-sftp

Add Below lines at the end of file
Match Group sftp_users
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp

Where :

  • Match Group sftp_users – This indicates that the following lines will be matched only for users who belong to group sftp_users
  • ChrootDirectory %h – This is the path(default user’s home directory) that will be used for chroot after the user is authenticated. So, for John, this will be /home/john.
  • ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.
Apply your changes

Restart the ssh service
service sshd restart

Step:4 Set the Permissions :
[root@localhost ~]# chmod 755 /home/john
[root@localhost ~]# chown john /home/john
[root@localhost ~]# chgrp -R sftp_users /home/john

If You want that john user should be allowed to upload files, then create a upload folder with the below permissions:
[root@localhost john]# mkdir /home/john/upload
[root@localhost john]# chown john /home/john upload/

– masterkenneth

Leave a Reply

Your email address will not be published. Required fields are marked *