top of page
  • Bankim Bhagat
    • Jun 23
    • 1 min read

Create SFTP server with Multiple Jailed Users



To upgrade existing packages, run the following command. This does not install any new packages.

sudo apt update

Next install openssl-server. It is not installed by default on ubuntu desktop edition.

sudo apt install openssh-server

Create new SFTP Users group

sudo addgroup sftp_users

Create a new user account

sudo adduser newuser

Add this new user to the sftp_users group

sudo usermod -G sftp_users newuser

Restrict the user from accessing files outside the home directory

sudo chown root:root /home/newuser

Now, create new subdirectories within the user home directory. These are used for file transfer.

sudo mkdir /home/newuser/uploads

Grant the user ownership rights to the subdirectories.

sudo chown -R newuser:newuser /home/newuser/uploads

Then, allow read and write permissions to all files within the home directory.

sudo chmod -R 755 /home/newuser

Modify the SSH config. Open the ssd_config file in nano text editor

sudo nano /etc/ssh/sshd_config

Add the following lines to the bottom of the file

# Enable SFTP subsystem
Subsystem sftp internal-sftp

# Match block for SFTP users
Match Group sftp_users
    ChrootDirectory %h
    ForceCommand internal-sftp
    X11Forwarding no
    PasswordAuthentication yes
    AllowTcpForwarding no

Below are the functions for each of the above configuration lines:

  • Match Group sftpcorner: Match the user group sftpcorner.

  • ChrootDirectory %h: Restrict access to directories within the user's home directory.

  • PasswordAuthentication yes: Enable password authentication.

  • AllowTcpForwarding no: Disable TCP forwarding.

  • X11Forwarding no: Don't permit Graphical displays.

  • ForceCommand internal-sftp: Enable SFTP only with no shell access.

Now restart the ssh service for changes to take effect

sudo service ssh restart

Troubleshooting

sudo tail -f /var/log/auth.log | grep sftp


Tip: ChrootDirectory

Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.

57 views0 comments

Recent Posts

See All

Here is a comparison of the Logitech B100 Optical Mouse, HP Wired Mouse 100, and Dell MS116 Wired Optical Mouse: As you can see, the HP Wired Mouse 100 has the highest DPI of the three mice, making it

bottom of page