Configure sftp server with restricted chroot users with ssh keys without affecting normal user access

  • Login on the Linux server (sftp) as root and create a new user account with the following Shell commands:

useradd seimaxim-user
passwd seimaxim-user

  • On the client system copy the ssh keys to the server:

ssh-copy-id seimaxim-user@seimaxim-server

  • On the client system verify the ssh keys so that a password-less login can be made to the server:

ssh seimaxim-uer@seimaxim-server

  • Verify sftp connection is working passwordless from the client system to server:

sftp seimaxim-user@seimaxim-server

  • At this stage, seimaxim-user from client system can ssh and sftp with entering password and have access to all directories. Now make necessary changes to chroot seimaxim-user caged to a specific directory.
  • On Linux server create a new group to add chroot seimaxim-user with groupadd sftpuser
  • Make a directory for chrooot seimaxim-user with mkdir /files
  • Make a subdirectory for seimaxim-user that has to be chroot with mkdir /files/seimaxim-user
  • Create a home directory for seimaxim-user with mkdir /files/seimaxim-user/home
  • Add seimaxim-user to new group you added in previous steps which sftpuser in our case with usermod -aG sftpuser seimaxim-user
  • Modify permissions of home directory /files/seimaxim-user/home of seimaxim-user with chown seimaxim-user:ftpuser /files/seimaxim-user/home
  • Open /etc/ssh/sshd_config in text editor like vi and add following code:

Subsystem sftp internal-sftp -d /home
Match Group sftpuser
ChrootDirectory /files/%u

  • Restart sshd service with systemctl restart sshd
  • Now try to connect via ssh and as user seimaxim-user from the client system to the server. You will not be able to connect via ssh but only through sftp. Also, try connecting with sftp which will be connected to the server without any issue. This solution will allow other users to connect through ssh to the server.

Leave a Reply

Your email address will not be published. Required fields are marked *