Often we need to provide secure but restricted sftp access to our clients to upload or download large files.<\/p>\n\n\n\n
Regular sftp accounts allow the users to view login names of other users\/clients and in many default installations even allow them to browse through the directories and files. In addition, they can also view your system files and any unprotected files and directories including much of your system settings under etc.<\/p>\n\n\n\n
When you provide sftp access, you also provide ssh access (sftp is a subsystem of ssh) and as such users can login.<\/p>\n\n\n\n
We address these issues by enclosing the user’s home directory in chroot jail, which makes it impossible for the user to break out of his home directory and view other’s files and directories.<\/p>\n\n\n\n
Follow the steps below to configure your system.<\/p>\n\n\n\n
<\/p>\n\n\n\n
As root (or sudo) modify \/etc\/ssh\/sshd_config:Change Subsystem sftp line to:<\/p>\n\n\n\n
Subsystem sftp internal-sftp<\/code><\/pre>\n\n\n\nAdd this to the end<\/strong> of the file:<\/p>\n\n\n\nMatch Group sftp\n ChrootDirectory %h\n X11Forwarding no\n AllowTcpForwarding no\n ForceCommand internal-sftp<\/code><\/pre>\n\n\n\nSave the changes and restart OpenSSH:<\/p>\n\n\n\n
sudo apt install whois\n<\/code><\/pre>\n\n\n\nCreate a system group for users with restricted sftp access:<\/p>\n\n\n\n
addgroup --system sftp<\/code><\/pre>\n\n\n\n