{"id":13302,"date":"2019-04-01T11:51:24","date_gmt":"2019-04-01T11:51:24","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=13302"},"modified":"2019-04-01T11:51:24","modified_gmt":"2019-04-01T11:51:24","slug":"how-to-restrict-sftp-users-to-home-directories-using-chroot-jail","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/04\/01\/how-to-restrict-sftp-users-to-home-directories-using-chroot-jail\/","title":{"rendered":"How to Restrict SFTP Users to Home Directories Using chroot Jail"},"content":{"rendered":"

In this tutorial, we will be discussing how to restrict\u00a0SFTP<\/strong>\u00a0users to their home directories or specific directories. It means the user can only access his\/her respective home directory, not the entire file system.<\/p>\n

Restricting users home directories is vital, especially in a shared server environment, so that an unauthorized user won\u2019t sneak peek into the other user\u2019s files and folders.<\/p>\n

Important<\/strong>: Please also note that the purpose of this article is to provide SFTP access only, not SSH logins, by following this article will have the permissions to do file transfer, but not allowed to do a remote SSH session.<\/p>\n

Suggested Read:<\/b>\u00a0Restrict SSH User Access to Certain Directory Using Chrooted Jail<\/a><\/p>\n

The simplest way to do this, is to create a chrooted jail environment for SFTP access. This method is same for all Unix\/Linux operating systems. Using chrooted environment, we can restrict users either to their home directory or to a specific directory.<\/p>\n

Restrict Users to Home Directories<\/h3>\n

In this section, we will create new group called\u00a0sftpgroup<\/strong>\u00a0and assign correct ownership and permissions to user accounts. There are two choices to restrict users to home or specific directories, we will see both way in this article.<\/p>\n

Create or Modify Users and Groups<\/h4>\n

Let us restrict the existing user, for example\u00a0tecmint<\/code>, to his\/her home directory named\u00a0\/home\/tecmint<\/code>. For this, you need to create a new\u00a0sftpgroup<\/strong>\u00a0group using\u00a0groupadd<\/strong>\u00a0command as shown:<\/p>\n

# groupadd sftpgroup\r\n<\/pre>\n
Next, assign the user\u00a0\u2018tecmint\u2019<\/strong>\u00a0to\u00a0sftpgroup<\/strong>\u00a0group.<\/p>\n
# usermod -G sftpgroup tecmint\r\n<\/pre>\n
You can also create a new user using\u00a0useradd command<\/a>, for example\u00a0senthil<\/code>\u00a0and assign the user to\u00a0sftpusers<\/strong>\u00a0group.<\/p>\n
# adduser senthil -g sftpgroup -s \/sbin\/nologin\r\n# passwd tecmint\r\n<\/pre>\n
Modify SSH Configuration File<\/h4>\n
Open and add the following lines to\u00a0\/etc\/ssh\/sshd_config<\/code>\u00a0configuration file.<\/p>\n
Subsystem sftp internal-sftp\r\n \r\n   Match Group sftpgroup\r\n   ChrootDirectory \/home\r\n   ForceCommand internal-sftp\r\n   X11Forwarding no\r\n   AllowTcpForwarding no\r\n<\/pre>\n
Save and exit the file, restart sshd service to take new changes into effect.<\/p>\n
# systemctl restart sshd\r\nOR\r\n# service sshd restart\r\n<\/pre>\n
If you chroot multiple users to the same directory, you should change the permissions of each user\u2019s home directory in order to prevent all users to browse the home directories of the each other users.<\/p>\n
# chmod 700 \/home\/tecmint\r\n<\/pre>\n
<\/a>Verify SSH and SFTP Users Login<\/h4>\n
Now, it\u2019s time to check the login from a local system. Try to ssh your remote system from your local system.<\/p>\n
# ssh tecmint@192.168.1.150\r\n<\/pre>\n
Here,<\/p>\n
    \n
  1. tecmint<\/strong>\u00a0\u2013 remote system\u2019s username.<\/li>\n
  2. 192.168.1.150<\/strong>\u00a0\u2013 Remote system\u2019s IP address.<\/li>\n<\/ol>\n
    Sample output:<\/h5>\n
    tecmint@192.168.1.150's password: \r\nCould not chdir to home directory \/home\/tecmint: No such file or directory\r\nThis service allows sftp connections only.\r\nConnection to 192.168.1.150 closed.\r\n<\/pre>\n
    Then, access remote system using SFTP.<\/p>\n
    # sftp tecmint@192.168.1.150\r\n<\/pre>\n
    Sample output:<\/h5>\n
    tecmint@192.168.1.150's password: \r\nConnected to 192.168.1.150.\r\nsftp>\r\n<\/pre>\n
    Let us check the current working directory:<\/p>\n
    sftp&gt pwd<\/strong>\r\nRemote working directory: \/\r\n\r\nsftp&gt ls<\/strong>\r\ntecmint  \r\n<\/pre>\n
    Here,\u00a0tecmint<\/code>\u00a0is the home directory. Cd to the\u00a0tecmint<\/strong>\u00a0directory and create the files or folders of your choice.<\/p>\n
    sftp&gt cd tecmint<\/strong>\r\nRemote working directory: \/\r\n\r\nsftp&gt mkdir test<\/strong>\r\ntecmint  \r\n<\/pre>\n
    Restrict Users to a Specific Directory<\/h3>\n
    In our previous example, we restrict the existing users to the home directory. Now, we will see how to restrict a new user to a custom directory.<\/p>\n
    Create Group and New Users<\/h4>\n
    Create a new group\u00a0sftpgroup<\/code>.<\/p>\n
    # groupadd sftpgroup\r\n<\/pre>\n
    Next, create a directory for SFTP group and assign permissions for the root user.<\/p>\n
    # mkdir -p \/sftpusers\/chroot\r\n# chown root:root \/sftpusers\/chroot\/\r\n<\/pre>\n
    Next, create new directories for each user, to which they will have full access. For example, we will create\u00a0tecmint<\/code>\u00a0user and it\u2019s new home directory with correct group permission using following series of commands.<\/p>\n
    # adduser tecmint -g sftpgroup -s \/sbin\/nologin\r\n# passwd tecmint\r\n# mkdir \/sftpusers\/chroot\/tecmint\r\n# chown tecmint:sftpgroup \/sftpusers\/chroot\/tecmint\/\r\n# chmod 700 \/sftpusers\/chroot\/tecmint\/\r\n<\/pre>\n
    Configure SSH for SFTP Access<\/h4>\n
    Modify or add the following lines at the end of the file:<\/p>\n
    #Subsystem  \tsftp\t\/usr\/libexec\/openssh\/sftp-server\r\nSubsystem sftp  internal-sftp\r\n \r\nMatch Group sftpgroup\r\n   ChrootDirectory \/sftpusers\/chroot\/\r\n   ForceCommand internal-sftp\r\n   X11Forwarding no\r\n   AllowTcpForwarding no\r\n<\/pre>\n
    Save and exit the file. Restart sshd service to take effect the saved changes.<\/p>\n
    # systemctl restart sshd\r\nOR\r\n# service sshd restart\r\n<\/pre>\n
    That\u2019s it, you can check by logging into the your remote SSH and SFTP server by using the step provided above at\u00a0Verify SSH and SFTP login<\/a>.<\/p>\n
    Be mindful that this method will disable the shell access, i.e you can\u2019t access the remote system\u2019s shell session using SSH. You can only access the remote systems via SFTP and do file transfer to and from the local and remote systems.<\/p>\n
    Conclusion<\/h3>\n
    Now you know how to restrict users home directories using a Chroot environment in Linux. If you find this useful, share this article on your social networks and let us know in the comment section below if there is any other methods to restrict users home directories.<\/p>\n
    Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    In this tutorial, we will be discussing how to restrict\u00a0SFTP\u00a0users to their home directories or specific directories. It means the user can only access his\/her respective home directory, not the entire file system. Restricting users home directories is vital, especially in a shared server environment, so that an unauthorized user won\u2019t sneak peek into the … <\/p>\n
    Continue reading “How to Restrict SFTP Users to Home Directories Using chroot Jail”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-13302","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13302","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=13302"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13302\/revisions"}],"predecessor-version":[{"id":13306,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13302\/revisions\/13306"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=13302"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=13302"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=13302"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}