Chrooting SFTP users in Ubuntu 9.10

After quite a lot of internet research today, this is probably the most efficient and reliable way to lock SFTP users to their home directories using Linux and specifically Ubuntu Server 9.10 and OpenSSH 5.1.

Let’s assuming you have Open SSH installed and running, as well as that most helpful admin tool, webmin, although of course an SSH connection to the server will do just as well.

The first step is to amend your SSH demon’s config to use the internal sftp mode. Use your favourite text editor or the edit config option in webmin to rem the first line and add the second.

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

You are best to create users from scratch if you want to provide them with only sftp access to their own directory. This is because you want/need to make the users accounts system accounts rather than ordinary accounts. The difference being that system accounts are used for processes and demons and have no file access privileges so as to provide a more secure OS. The following steps will create users who can only connect via sftp and only have rights to the directory you specify.

sudo mkdir /home/username
sudo useradd username

Note you have used “useradd” and not the more familiar “adduser.” The former is more low level and does not automatically create home directories and full details.

As SFTP uses the SSH demon, we need to set the user’s home directory to be owned by root, that the group ID is the same as the user name and the root alone has write permissions. The last line forces the default home directory.

sudo chown root:username /home/username
sudo chmod 755 /home/username
sudo usermod -d /home/username username

Give the user a password if you have not already done so and lock them down further by prohibiting any form of shell access:

sudo passwd username
sudo usermod -s /bin/false username

You can conduct both these steps in the user section of webmin if you are more comfortable there.

So let’s recap, we have set up the server and user as follows:

  • Amended your OpenSSH server to use internal SFTP
  • Created a user and given him a password and a forced home directory
  • Set the home directory to be owned by root and in a group with the user’s name
  • Made root the only user with rights
  • Prevented the user having shell access

We now need to configure the OpenSSH server to work specifically with the new user and their directory.

Edit /etc/ssh/sshd_config in a text editor or webmin and include the following lines at the end of the file:

Match User username
ChrootDirectory /home/username
ForceCommand internal-sftp

This locks the user to his home directory as specified above and forces him to use the internal sftp commands. You could add lines to block TCP forwarding and prevent X sessions.

X11Forwarding no
AllowTcpForwarding no

As an aside, you can chroot a group of users to their home directory by adding these lines to your config file.

Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Back to our single user example. You’ll remember that up til now we have only provided him with 755 (read) access through the group with his name. If we create a sub-directory in his home directory we can give him full rights.

sudo mkdir /home/username/folder
sudo chown johndoe:johndoe /home/username/folder
sudo chmod 755 /home/username/folder

Finally restart your SSH server in webmin or at CLI

sudo /etc/init.d/ssh restart

Test file rights and scope of access through a terminal session, putty or Tunnelier if you happen to have to use windows.