How to set up Chroot Sftp?

While configuring a SFTP server for public use in your organization you will often require that user’s of the SFTP server can only access his home directory and its sub-directories. All other directories should be inaccessible to him so as to create a separation and maintaining security among all users. This is called “chroot-jail” in FTP terminology.

In this article we will learn how to setup such an environment.

 Chroot sftp is possible with openssh (openssh-server-4.3p2-30.el5). If you are using an older openssh version than this, upgrade it to openssh-server-4.3p2-30.el5 or later.

 Below is a sample chroot sftp configuration:

 1.  Create a specific chrooted directory.

[root@sftp~]# mkdir /chroot/home

 2.  Mount it to /home as follows:

[root@sftp~]#  mount -o bind /home /chroot/home

 3.  Edit /etc/ssh/sshd_config as follows:

 [root@sftp~]# vim /etc/ssh/sshd_config

ChrootDirectory /chroot

Subsystem sftp internal-sftp

Please ensure the directories of Chroot Directory, “/chroot” in this example, are root owned directories and are not writable by any other user or group. This affects all users, however. There is no per-user configuration.

 4. Restart SSH service

[root@sftp~]# service sshd restart


About Manish Jha

Hi All I am Manish Kumar Jha aka Alex Hunt. I am currently working in VMware Software India Pvt Ltd as Operations System Engineer (vCloud Air Operations). I have around 5 Years of IT experience and have exposure on VMware vSphere, vCloud Director, RHEL and modern data center technologies like Cisco UCS and Cisco Nexus 1000v and NSX. If you find any post informational to you please press like and share it across social media and leave your comments if you want to discuss further on any post. Disclaimer: All the information on this website is published in good faith and for general information purpose only. I don’t make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this blog is strictly at your own risk. The Views and opinions published on this blog are my own and not the opinions of my employer or any of the vendors of the product discussed.
This entry was posted in Linux/CentOS, SSH. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s