How can I chroot sftp-only SSH users into their homes?

  • I want to give a client access to my server, but I want to limit those users to their home directories. I will bind-mount in any files I want them to be able to see.

    I've created a user called bob and added him to a new group called sftponly. They have a home directory at /home/bob. I've changed their shell to /bin/false to stop SSH logins. Here is their /etc/passwd line:


    I've also changed the /etc/ssh/sshd_config to include the following:

    Match Group sftponly
            ChrootDirectory /home/%u
            ForceCommand internal-sftp
            AllowTcpForwarding no

    When I try to log in as them, here's what I see

    $ sftp [email protected]
    [email protected]'s password: 
    Write failed: Broken pipe
    Couldn't read packet: Connection reset by peer

    If I comment out the ChrootDirectory line I can SFTP in but then they have free rein over the server. I have found that ChrootDirectory /home works, but it still gives them access to any home directory. I have explicitly tried ChrootDirectory /home/bob but that doesn't work either.

    What am I doing wrong? How can I limit bob to /home/bob/?


    Okay so I just had a look at /var/log/auth.log and saw this:

    May  9 14:45:48 nj sshd[5074]: pam_unix(sshd:session): session opened for user bob by (uid=0)
    May  9 14:45:48 nj sshd[5091]: fatal: bad ownership or modes for chroot directory component "/home/bob/"
    May  9 14:45:48 nj sshd[5074]: pam_unix(sshd:session): session closed for user bob

    I'm not entirely sure what's going on there, but it suggests something is wrong with the user directory. Here is the ls -h /home output:

    drwxr-xr-x 26 oli      oli      4096 2012-01-19 17:19 oli
    drwxr-xr-x  3 bob      bob      4096 2012-05-09 14:11 bob

    I believe `ChrootDirectory /home/%u` can be replaced `ChrootDirectory %h`.

  • Oli

    Oli Correct answer

    8 years ago

    All this pain is thanks to several security issues as described here. Basically the chroot directory has to be owned by root and can't be any group-write access. Lovely. So you essentially need to turn your chroot into a holding cell and within that you can have your editable content.

    sudo chown root /home/bob
    sudo chmod go-w /home/bob
    sudo mkdir /home/bob/writable
    sudo chown bob:sftponly /home/bob/writable
    sudo chmod ug+rwX /home/bob/writable

    And bam, you can log in and write in /writable.

    Thank you really useful. Two problems though. 1.) Even though I can't write, I can still browse the whole filesystem. 2.) Changing shell to /bin/false prevents SFTP completely. Am I doing something wrong?

    Thank you! Many other articles on this topic miss this detail, and some make it so the server cannot accept ssh connections (which kind of sucks when you're on EC2 and ... that's the only way).

    @kim3er did you set your user's group to sftponly? If you don't, the ssh server won't match and chroot it. Try "usermod sftponly $USER". Also, /bin/false just removes SSH access. If you want a chrooted user to have ssh access there are more steps you'll need to take.

    kim3er: this is because you need to set the user's shell to /sbin/nologin -- /bin/false disables any sort of access.

    I'd also like to note that all folders that lead to your chroot folder should be owned by `root`. In this example, `/home` should also be owned by root.

    On 14.04, I also had to change the `Subsystem sftp /usr/lib/openssh/sftp-server` line to `Subsystem sftp internal-sftp -f AUTH -l VERBOSE` before this worked.

    This was the best description of this issue that I've found after about an hour spent trying and then Googling.

    So it means there is no way of chrooting a user in a writeable directory : you have to have a subfolder with write permissions ?

    @baramuse you could then "move" the user to the writable directory after login by using `ForceCommand internal-sftp -d /writable` in `/etc/ssh/sshd_config`. They would still be able to browse back up to the read-only chroot dir though. Source

    This is how you add the user `bob` to the group sftponly: `adduser bob sftponly`

    Once you are done, you can bind other directories into the home folder of the jail user with `mkdir /home/bob/localdir/; mount --bind /original/path /home/bob/localdir/`

    Not sure, but it feels like this answer is missing `chmod 750 /home/bob`, as bob still needs read permission after connecting, otherwise he won't see anything if `ChrootDirectory /home/%u` is set.

  • To chroot an SFTP directory, you must

    1. Create a user and force root to be owner of it

      sudo mkdir /home/john
      useradd -d /home/john -M -N -g users john
      sudo chown root:root /home/john
      sudo chmod 755 /home/john
    2. Change the subsystem location on /etc/ssh/sshd_config:

      #Subsystem sftp /usr/lib/openssh/sftp-server
      Subsystem sftp internal-sftp

      and create a user section at the end of the file (ssh can die respawning if placed after Subsystem line):

      Match User john
          ChrootDirectory %h
          ForceCommand internal-sftp
          AllowTCPForwarding no
          X11Forwarding no

    this doesn't seem to work. in your example, the user `john` is locked to the `/home/john` directory. you have granted `755` permissions to the directory. so the owner has read(4), write(2) and execute(1), and the group has read(4) and execute(1). you've also set the owner and group as `root`, so `john` belongs to other. he also has read and execute (4+1=5) then. so you've locked john into a directory where he has no write privileges. how to fix this? changing privileges to `757` or even `777` breaks the login. changing the group or owner to john also breaks login.

    also to note: in /etc/ssh/sshd_config the configs are read in order. So if you have a rule for users in General and you want to overwrite one of them, just place the user-specific rule on top.

    I want to chroot an SFTP directory in some other user's home folder. I have userx at `/home/userx/sftproot/uploads` and sftpuser at /home/sftpuse. I have set chroot at `/home/usex/sftproot` to be owned by root:root and chmod 755. The `/home/usex/sftproot/uploads` is chown-ed by sftpuser:sftpuser. I get the same error as the initial question above. Does the chroot and all parent folders need to be owned by root:root in order for sftp to work?

    +1 for `%h`.............

  • I spent the whole day trying to get a network share on my raspberry. I wanted to lock the user so that it would not be able to navigate through the whole file system, no ssh login access and I wanted to have write access to the network share.

    And here is how I got it working:

    First I created a user:

    sudo useradd netdrive

    Then edited /etc/passwd and made sure it has /bin/false for the user so the line was:

    netdrive:x:1001:1004:Net Drive User,,,:/home/netdrive:/bin/false

    I edited /etc/ssh/sshd_config to include:

    Match User netdrive
      ChrootDirectory /home/netdrive
      ForceCommand internal-sftp
      AllowTcpForwarding no
      X11Forwarding no

    Changed home directory owner and permissions:

    sudo chown root:root /home/netdrive/
    sudo chmod 755 /home/netdrive/

    Ok so after all this I was able to connect using sshfs but in read only mode. What I had to do to get a writable folder:

    sudo mkdir -p /home/netdrive/home/netdrive/
    sudo chown netdrive:netdrive /home/netdrive/home/netdrive/
    sudo chmod 755 /home/netdrive/home/netdrive/

    That was it, it worked without any further changes. Note that I have only writable permissions to the user, not to the group as many other solutions online. I was able to create/delete/edit/rename files/folders without problems.

    When accessing using sshfs with the netdrive user because of chroot configuration I would only see things stored inside server's /home/netdrive/ directory, perfect. The repeated /home/netdrive/home/netdrive/ directory structure is what made it work for me in having a clean chroot ssh writable solution.

    Now I am going to explain below the problems I had:

    You should probably not execute the following paragraphs:

    After looking at the above solutions (and many others on the net which even used acl (access control lists)) I was still not able to get it working because what I did next was:

    The following did NOT work for me:

    sudo mkdir /home/netdrive/writable/
    sudo chown netdrive:netdrive /home/netdrive/writable/
    sudo chmod 755 /home/netdrive/writable/

    Because the netdrive user was still not able to write in that /home/netdrive/writable/ directory despite owning the folder and having the permissions. Then I did: sudo chmod 775 /home/netdrive/writable/ And now I could create a directory and delete it but I was not able to edit it because it was being created without group writable permissions. Here from what I saw on the net people use acl to fix it. But I was not happy with that since it I had to install acl, then configure mount points, etc. Also I have no idea why I would need group permission to write to a folder owned by the same user.

    It seems that for some reason creating /home/netdrive/home/netdrive and giving ownership to the last netdrive folder I was able to make everything work without messing with group permissions.

  • I followed this article but it didnt work. It started working after I made this change (suggested in above answers):

    #Subsystem sftp /usr/lib/openssh/sftp-server
    Subsystem sftp internal-sftp

    Plus made the root ownable home directory under which I had user writable sub directory (as described above).

    The new and useful thing I want to add with this answer is that you can simplify the configuration simply by specifying %h as user home directory:

    ChrootDirectory %h

    I have discovered it thanks to this link.

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM