Configure SFTP with Chroot Jail on Debian

Setting up a chroot jail for SFTP (Secure File Transfer Protocol) on a Debian server enhances security by restricting users' access to a specific directory. This is particularly useful for granting limited file transfer capabilities without providing full shell access.

Installing and Configuring SSH

Ensure that the SSH server is installed:

sudo apt-get install openssh-server

Then, edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Configuring Chroot Environment

In the sshd_config file, locate or add the following lines to set up a chroot environment:

Subsystem sftp internal-sftp

Match Group sftponly
    ChrootDirectory /home/%u
    ForceCommand internal-sftp
    AllowTcpForwarding no
    X11Forwarding no

Replace /home/%u with your desired chroot directory and sftponly with the group name for restricted users.

Creating User and Group

Create a group for chroot-restricted users:

sudo groupadd sftponly

Add a user to this group and set their home directory:

sudo useradd -m -g sftponly -s /bin/false username
sudo passwd username

Ensure the user's home directory is owned by root:

sudo chown root:root /home/username

Create a subdirectory for user files, with appropriate permissions:

sudo mkdir /home/username/files
sudo chown username:sftponly /home/username/files

Restarting SSH

Apply changes by restarting the SSH service:

sudo systemctl restart sshd

Testing the Configuration

Test your setup by connecting through an SFTP client using the newly created user credentials. The user should only access the specified directory.

Installing and Configuring SSH​

Configuring Chroot Environment​

Creating User and Group​

Restarting SSH​

Testing the Configuration​

Installing and Configuring SSH

Configuring Chroot Environment

Creating User and Group

Restarting SSH

Testing the Configuration