Setup Retrictive SFTP with Chroot on Ubuntu 16.04 / 17.10 and 18.04

Want to setup SFTP server on Ubuntu? Configuring SFTP protocol allows for more secure way to tranfer files between the SFTP host and client machines… As you may already know, FTP is inherently insecure so most implementations are SFTP…

Even more secure implementation will be to enable chroot… A chroot is a way of isolating applications from the rest of your computer, by putting them in a jail. When you enable chroot on user account, that account is isolated and can only access its own directory and files… and nowhere else.

This brief tutorial is going to show students and new users how to setup sFTP on Ubuntu 16.04 / 17.10 and 18.04 with chroot enabled on Ubuntu home directories.

To get started, continue with the steps below

Step 1: Install Open SSH Server

If you haven’t already installed Open SSH server, run the commands below to install it…

sudo apt update
sudo apt install openssh-server

After installing, the commands below can be used to stop, start and enable the service to always start up when the server boots…

sudo systemctl stop ssh.service
sudo systemctl start ssh.service
sudo systemctl enable ssh.service

Step 2: Configure SFTP

Now that OpenSSH Server is installed, open its default configuration file by running the commands below…

sudo nano /etc/ssh/sshd_config

Then edit the file and change highlighted line below… add the  # before the first line, then add the highlighted line just below it to enable SFTP…. This will change the subsystem to internal-sftp only…

# override default of no subsystems
#Subsystem      sftp    /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Next, add the lines below at the end of the file or just below the highlighted line above…

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
Match Group sftp_users
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /home
ForceCommand internal-sftp

Save the file and exit…

After editing the file, run the commands below to restart OpenSSH Server…

sudo systemctl restart ssh.service

Step 3: Create SFTP Group

Now that you have defined your SFTP settings and set to match the sftp_users…. create a sftp_users group, then add users you want to restrict via chroot… To create the group, run the commands below…

sudo groupadd sftp_users

Now add any user to the group by runnning the commands below…

sudo usermod -aG sftp_users richard

Replace user richard with your Ubuntu account name… this will add the user to the sftp_users group you created above…

That’ it! Your system should be configured for secure SFTP for your users…

Your user can use their favorite FTP client like Filezilla to connect to the server securely via SFTP protocol…. users will be restricted to their own directories and nowhere else..

Make sure to selec SFTP connection in Filezilla…

SFTP Ubuntu install

When you connect, you’ll be propted whether to accept the server key…. accept it and continue…

sftp ubuntu setup

Connect and use the SFTP service…

sftp ubuntu install

Enjoy!

You may also like the post below:

Configure Nginx Proxy Server for Tomcat 9 on Ubuntu 16.04 / 17.10 / 18.04

7 Replies to “Setup Retrictive SFTP with Chroot on Ubuntu 16.04 / 17.10 and 18.04

  1. Great article – many thanks
    A quick question, all users have access to their private sftp directory, how do you enable all of them to a shared directory?

  2. Well explained, thanks. Worked 100% first time which is pretty rare these days 🙂

    Perhaps you could elaborate a bit, by adding keys to the process instead of passwords.

  3. Your first command ‘sudo update’ isn’t a valid command- I believe you mean ‘sudo apt-get update’

  4. Works great. But I didn’t do my homework and I changed /etc/ssh/sshd_config without thinking. Now I can’t connect to the server again. I don’t have physical access… wat do? Seriously though, I’m in trouble now.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.