{"id":943,"date":"2016-08-01T21:15:25","date_gmt":"2016-08-02T02:15:25","guid":{"rendered":"http:\/\/xfloyd.net\/blog\/?p=943"},"modified":"2016-08-19T20:52:22","modified_gmt":"2016-08-20T01:52:22","slug":"guide-for-setting-up-sftp-users-whos-access-is-restricted-to-their-home-directory","status":"publish","type":"post","link":"http:\/\/xfloyd.net\/blog\/?p=943","title":{"rendered":"Guide for setting up SFTP users who\u2019s access is restricted to their home directory"},"content":{"rendered":"

Here is a guide for setting up SFTP users who\u2019s access is restricted to their home directory.<\/p>\n

Add the following to the end of the \/etc\/ssh\/sshd_config<\/strong> file:<\/p>\n

<\/p>\n

Subsystem sftp internal-sftp\r\n# This section must be placed at the very end of sshd_config\r\nMatch Group sftponly\r\n    ChrootDirectory %h\r\n    ForceCommand internal-sftp\r\n    AllowTcpForwarding no<\/pre>\n
This means that all users in the \u2018sftponly\u2019 group will be chroot\u2019d to their home directory, where they only will be able to run internal SFTP processes.<\/p>\n
Now you can create the group sftponly by running the following command:<\/p>\n
$ groupadd sftponly<\/pre>\n
Set a user\u2019s group:<\/p>\n
$ usermod steve -g sftponly<\/pre>\n
To deny SSH shell access, run the following command:<\/p>\n
$ usermod steve -s \/bin\/false<\/pre>\n
And set the user\u2019s home directory:<\/p>\n
$ usermod steve -d \/folder<\/pre>\n
Finally, you probably need to restart SSH<\/p>\n
$ service ssh restart<\/pre>\n
The SSH part should now be in order, but you should make sure that file permissions also are correct. If the chroot environment is in a user\u2019s home directory both \/home<\/strong> and \/home\/username<\/strong> must be owned by root and should have permissions along the lines of 755 or 750.<\/p>\n
In other words, every folder leading up to and including the home folder must be owned by root, otherwise you will get the following error after logging in:<\/p>\n
Write failed: Broken pipe\r\nCouldn't read packet: Connection reset by peer<\/pre>\n","protected":false},"excerpt":{"rendered":"
Here is a guide for setting up SFTP users who\u2019s access is restricted to their home directory. Add the following to the end of the \/etc\/ssh\/sshd_config file:<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"_links":{"self":[{"href":"http:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/posts\/943"}],"collection":[{"href":"http:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/xfloyd.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=943"}],"version-history":[{"count":3,"href":"http:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/posts\/943\/revisions"}],"predecessor-version":[{"id":955,"href":"http:\/\/xfloyd.net\/blog\/index.php?rest_route=\/wp\/v2\/posts\/943\/revisions\/955"}],"wp:attachment":[{"href":"http:\/\/xfloyd.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=943"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/xfloyd.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=943"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/xfloyd.net\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=943"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}