Configuring an sftp chroot with OpenSSH

Configuring an OpenSSH sftp chroot is a surprisingly easy process for how powerful it is, it allows you to create a chroot environment that a user can connect to by sftp and go about their business locked inside their folder. The purpose of this is to have a secure method of transferring files between machines, that is the purpose of the chroot which is like a jail confining access and then using sftp which is SSH file transfer protocol.


    sudo vi /etc/sshd/sshd_config
  1. Scroll down to the bottom and add the following into the file

    Match Group sftp
        ChrootDirectory %h
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
    
  2. Add a user you want to create for sftp purposes. We are creating it with /bin/false, we don't want this accessible to anything but sftp connections

    sudo useradd -m -d /home/<username here> -s   /bin/false -U <username here>
    
  3. Add a password to the user, make sure its strong

    passwd <username here>
    
  4. Add the group we specified earlier, which was sftp

    groupadd sftp
    
  5. And now we will add them to the group we just made.

    usermod -aG sftp <username here>
    
  6. To secure the directory and a big part of creating that chroot is having root own the new users home directory

    chown root:root /home/<username here>
    chmod go-w /home/<username here>
    
  7. Now we must make a folder to be writable by our new user so we they can utilize it, otherwise they will not be able to read, write, or execute anything. They must also own the folder and have the correct permissions set too.

    sudo mkdir /home//writable sudo chown :sftp /home//writable sudo chmod ug+rw /home//writable

  8. Now you must restart sshd for the new configuration we added earlier to get picked up, and then try connecting to by the computer/server you configured this on by using the user we created. This should be successful and ready to use.

    systemctl restart sshd
    

    Then check the daemons status:

    systemctl status sshd