paulgorman.org/technical

SFTP chroot for SFTP-only users

See sshd_config(5).

  1. Edit /etc/ssh/sshd_config.
  2. Make sure it has Subsystem sftp internal-sftp
  3. Add a group for restricted users: addgroup sftp-only
  4. Add restricted user(s): adduser --shell /usr/sbin/nologin --no-create-home --add_extra_groups sftp-only myuser
  5. mkdir -p /home/myuser/incoming
  6. chown root:root /home/myuser
  7. chown myuser:myuser /home/myuser/incoming
  8. Add:
Match Group sftp-only
	ChrootDirectory %h
	AllowTCPForwarding no
	X11Forwarding no
	ForceCommand internal-sftp

Finally: systemctl restart sshd

What’s the difference between internal-sftp and sftp-server?

Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

internal-sftp is newer, and requires no support files when used with ChrootDirectory. Generally, use internal-sftp.

https://serverfault.com/questions/660160/openssh-difference-between-internal-sftp-and-sftp-server/660325

Can the user have write access to the home directory (i.e., write to /home/myuser instead of /home/myuser/incoming?

No, there’s no elegant way to do this with OpenSSH-based SFTP servers.