Jail SFTP-only user to homedir

Follow these instructions to create an SFTP-only user (no SSH access) and limit them to their home directory.

To limit a user to a part of the filesystem, you want to use ChrootDirectory. The given directory must be root:root owned, and the user will be able to read that directory. So you could use /home for example, but then the user can see which users exist on the system. You may or may not want this.

Because I want the SFTP user to be completely isolated in their own little corner, I create a per-user chroot directory.

mkdir /home/henk  # root-owned, for chroot
adduser --home /home/henk/henk --shell /bin/false henk

So the real home is nested in the fake home which is used for chrooting.

In /etc/ssh/sshd_config add:

Subsystem sftp internal-sftp

Match User henk
  ChrootDirectory /home/henk
  ForceCommand internal-sftp -d henk
  PermitTTY no

Test the SSH configuration so you don't lock yourself out (...) Also note that everything after the Match User henk statement only applies to the user henk. You have been warned.

sshd -t
systemctl restart ssh

And that should be all:

$ sftp henk@rpi
...
henk@rpi's password: 
Connected to rpi.
sftp> pwd
Remote working directory: /henk
sftp> cd /
sftp> ls
henk  
sftp>

$ ssh henk@rpi
henk@rpi's password: 
PTY allocation request failed
This service allows sftp connections only.
Shared connection to rpi closed.

Perfect, they can access their home directory and nothing else.

🗣 Comments

I manually review comments so it may take a while for your comment to get published.