Configure SFTP with Chroot Jail on Debian
Setting up a chroot jail for SFTP (Secure File Transfer Protocol) on a Debian server enhances security by restricting users' access to a specific directory. This is particularly useful for granting limited file transfer capabilities without providing full shell access.
Installing and Configuring SSH
Ensure that the SSH server is installed:
sudo apt-get install openssh-server
Then, edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Configuring Chroot Environment
In the sshd_config
file, locate or add the following lines to set up a chroot environment:
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Replace /home/%u
with your desired chroot directory and sftponly
with the group name for restricted users.
Creating User and Group
Create a group for chroot-restricted users:
sudo groupadd sftponly
Add a user to this group and set their home directory:
sudo useradd -m -g sftponly -s /bin/false username
sudo passwd username
Ensure the user's home directory is owned by root:
sudo chown root:root /home/username
Create a subdirectory for user files, with appropriate permissions:
sudo mkdir /home/username/files
sudo chown username:sftponly /home/username/files
Restarting SSH
Apply changes by restarting the SSH service:
sudo systemctl restart sshd
Testing the Configuration
Test your setup by connecting through an SFTP client using the newly created user credentials. The user should only access the specified directory.