Limiting Access with SFTP Jails on Debian and Ubuntu
Updated by Linode Written by Linode
As the system administrator for your Linode, you may want to give your users the ability to securely upload files to your server. The most common way to do this is to allow file transfers via Secure File Transfer Protocol (SFTP), which uses SSH to provide encryption. This requires that you give your users SSH logins. However, by default SSH users are able to view your Linode’s entire filesystem, which may not be desirable.
This guide will help you configure OpenSSH to restrict users to their home directories, and to SFTP access only. Please note that these instructions are not intended to support shell logins; any user accounts modified in accordance with this guide will have the ability to transfer files, but not the ability to log into a remote shell session.
These instructions will work for Ubuntu 9.04, Debian 5, and later. Unfortunately, the version of SSH packaged with Ubuntu 8.04 is too old to support this configuration.
Configure OpenSSH
Edit your
/etc/ssh/sshd_configfile with your favorite text editor:vim /etc/ssh/sshd_configAdd or modify the
Subsystem sftpline to look like the following:- /etc/ssh/sshd_config
-
1Subsystem sftp internal-sftp
Add this block of settings to the end of the file:
- /etc/ssh/sshd_config
-
1 2 3 4 5Match Group filetransfer ChrootDirectory %h X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
Save the changes to your file.
Restart OpenSSH:
service ssh restartOpenSSH has been successfully modified.
Modify User Accounts
This section will set up the correct groups, ownership, and permissions for your user accounts.
Create a system group for users whom you want to restrict to SFTP access:
addgroup --system filetransferModify the user accounts that you wish to restrict to SFTP. Issue the following commands for each account, substituting the appropriate username. Please keep in mind that this will prevent these users from being able to log into a remote shell session.
usermod -G filetransfer username chown root:root /home/username chmod 755 /home/usernameThese users will now be unable to create files in their home directories, since these directories are owned by the root user.
Next, you need to create new directories for each user, to which they will have full access. Issue the following commands for each user, changing the directories created to suit your needs:
cd /home/username mkdir docs public_html chown username:filetransfer *Your users should now be able to log into their accounts via SFTP and transfer files to and from their assigned subdirectories, but they shouldn’t be able to see the rest of your Linode’s filesystem.
Use SFTP
Use
sftpfrom the terminal:sftp username@<Your_Linodes_IP>You can use the
helpcommand to see what commands you have access too within the SFTP shell. You have the ability topwd,cdandls, for instance. There are also commands likelpwd, that will print the local working directory. In the local home directory typetouch test.txtTransfer local files to the remote system:
cd docs put test.txtTransfer files to the local system from the remote system:
get test.txtYou can test the file permissions by navigating to a different directory within the SFTP shell, and trying to transfer a file.
sftp> put test.txt /tmp/ Uploading test.txt to /tmp/ remote open("/tmp/"): FailureExit the session with the
exitcommand.
More Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
Join our Community
Find answers, ask questions, and help others.
This guide is published under a CC BY-ND 4.0 license.