Linux system administrators frequently wish to give users the ability to upload files to remote servers. The most common way of doing so in a secure manner is to permit file transfers via SFTP, which uses SSH to provide encryption. By default, users are able to view the contents of the entire remote filesystem, which may not be desirable. This guide will help you configure OpenSSH to restrict users to their home directories. Please note that these instructions are not intended to support shell logins; any user accounts modified in accordance with this guide will have the ability to transfer files, but not the ability to log into a remote shell session.
Please note that these instructions will work on Ubuntu 9.04 and greater or Debian 5 and greater systems. Unfortunately, the version of SSH packaged with Ubuntu 8.04 is too old to support this configuration.
Edit your /etc/ssh/sshd_config file, making sure the following line is present. If your system's file has a line that begins with "Subsystem sftp" modify it to resemble the following:
File excerpt:/etc/ssh/sshd_config
Subsystem sftp internal-sftp
Continue to add the following block to the end of the file:
File excerpt:/etc/ssh/sshd_config
Match group filetransfer
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Restart OpenSSH as follows:
/etc/init.d/ssh restart
Create a group for the users who will only have SFTP access:
addgroup filetransfer
Next, you'll need to modify the user accounts that you wish to restrict to using only SFTP. Issue the following commands for each account, substituting the appropriate username. Please keep in mind that this will prevent these users from being able to log into a remote shell session. If you don't want to restrict your existing users, you may add new user accounts for file transfer purposes using the adduser command.
usermod -G filetransfer username chown root:root /home/username chmod 755 /home/username
After issuing these commands, the affected users won't be able to create files in their home directories as these directories will be owned by the root user. You'll want to create a set of directories for each user that they have full access to. Issue the following command for each user, changing the directories created to suit your needs:
cd /home/username mkdir docs public_html chown username:username *
Your users should now be able to log into their accounts via SFTP and transfer files to and from the directories located beneath their home directories, but they shouldn't be able to see the rest of the server's filesystem.
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This guide is licensed under a Creative Commons Attribution-NoDerivs 3.0 United States License.
Last edited by Amanda Folson on Sunday, August 21st, 2011 (r2391).