How to set up SFTP to chroot only for specific users

Issue

• How to set up sftp to chroot only for specific users
• How to set up sftp so that a user can't get out of their home directory, ensuring no other users are affected
• Preserve normal ssh/sftp functionality for most other users
• Support for sftp/scp account jails in openssh server

NOTE: - The ownership of the root directory should be root:root and anything else will block chroot sftp access.

If it’s not root:root, then the below command should be executed for chroot-sftp operation :-

# chown root:root /

1.       Edit sshd_config

# vi /etc/ssh/sshd_config

·         Comment the original Subsystem entry for sftp and replace it with a new entry:

#Subsystem      sftp    /usr/libexec/openssh/sftp-server

Subsystem       sftp    internal-sftp

·         Add the following to the end of the /etc/ssh/sshd_config file.

Match Group sftponly

                ChrootDirectory /chroots/%u

                AllowTcpForwarding no

                ForceCommand internal-sftp

                X11Forwarding no

2.       Create a new group to add sftp-only users to (users in this group will not have access to ssh/scp and sftp access will be limited to their chrooted environment.)

# groupadd sftponly

NOTE: Persons not in this group can still log in to the host via ssh and otherwise interact with openssh normally.

3.       Configure or create the accounts of any sftp-only users.  NOTE: the specified home directory is relative to the ChrootDirectory.

# usermod  -g sftponly -s /bin/false tafzal

In case you newly create the "user", set its password

# passwd tafzal

4.       Create the user's chroot environment and configure directory permissions.  Ensure that this entire path is owned by root and only writable by root.

# mkdir -p /chroots/tafzal ; chmod -R 755 /chroots/tafzal

NOTE: In this case, the chroot directory is set to /chroots/%u (%u is replaced by the username of that user) so that each user will have an individual chroot environment.

Users will not be able to see other directories located beneath the root of their chrooted environment.

5.       Create the user's actual home directory under the ChrootDirectory and chown it to the user and group created/used in Step 3 (above).

# mkdir /chroots/tafzal/myhome ; chown tafzal:sftponly /chroots/tafzal/myhome

NOTE: The permission of the user chroot directory that is, /chroots/tafzal/myhome should be 0755.

6.       Restart sshd

# systemctl sshd restart

Repeat steps 3-5 for any additional users you wish to create or add to the sftponly group.

TEST

[root@linux2 data]# sftp tafzal@linux1

tafzal@192.168.2.50's password:

Connected to 192.168.2.50.

sftp> pwd

Remote working directory: /myhome

sftp> put systemrescuecd-x86-4.7.3.iso

Uploading systemrescuecd-x86-4.7.3.iso to /myhome/systemrescuecd-x86-4.7.3.iso

systemrescuecd-x86-4.7.3.iso                                                                                                         0%    0     0.0KB/s   --:-- ETA^Interrupt

systemrescuecd-x86-4.7.3.iso                                                                                                         1% 6592KB   6.4MB/s   01:10 ETA

sftp> cd /opt

Couldn't canonicalize: No such file or directory

sftp>

Reference: https://access.redhat.com/solutions/20764