Configure OpenSSH to restrict access with SFTP Jails

Because by default settings SSH users will be able to view the entire filesystem which is not desirable.

Every now and then there may be a need to give your users the ability to securely upload files to your web server. This is typically done using Secure File Transfer Protocol (SFTP), which uses SSH to provide encryption. In such scenario, you may have to give your users SSH logins.

That’s where the trouble begins. By default settings, SSH users will be able to view the entire filesystem. This is not what you want. Don’t you?

Restrict Access to Home Directories with SFTP Jails

In this Terminal Tuts, we are going to guide you on how to configure OpenSSH to restrict access to the home directories.

1. Configuring OpenSSH

Before modifying the sshd config file, we advise taking a backup just in case you needed the original later on. Launch Terminal and enter the following command:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.Backup

Let’s start modifying it. Open the sshd_config file using vim.

sudo vim /etc/ssh/sshd_config

Add the following line. If there is an existing subsystem sftp line, go ahead and modify it to match it.

Subsystem sftp internal-sftp

Next, add the following lines to the end of the file.

Match group securegroup
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no

The final edited file should look like this.

Edited File
Edited File

When you are done, save and close the file.

Restart SSH for the new settings to take effect.

sudo systemctl restart sshd

2. Creating Group & User

Let’s create a group so that you can simplify managing the permissions. To create a new group for users:

sudo addgroup --system securegroup

Create a user named ‘sftpuser’ using adduser command and add it to the securegroup we created.

sudo adduser sftpuser --ingroup securegroup

Go ahead and add existing users to the group using usermod command.

sudo usermod -g securegroup sftpuser

3. Managing Permissions

The fun part begins now. We are going to restrict writing access to the HOME folder of a jailed SFTP user.

Start by changing the sftp user Home directory ownership using chown command.

sudo chown root:root /home/sftpuser

Modify the sftp user home directory permissions by using chmod command.

sudo chmod 755 /home/sftpuser

Now we are going to create a folder for sftpuser:

sudo cd /home/sftpuser
sudo mkdir uploadfiles

Modify the folder ownership.

sudo chown sftpuser:securegroup uploadfiles

The user should be able to access the account using SFTP and can upload documents to a given directory.

4. Verify SFTP

To verify everything is working as intended, use an FTP client like Filezilla and login to the server. Enter server IP, user name and password. Port should be 22. You should not be able to access the home directory with the restricted user account.

SFTP
SFTP

5. Additional Configurations

During a situation where your client wants to upload files/images to someplace in the web document root, you can mount the needed folder to sftpuser folder. For example, we are going to mount /var/www/html/webapp/pub/media to sftpuser folder.

Our Media folder can be seen as follows:

Media Folder
Media Folder

Here we are using a bind mount to mount folder.

sudo mount -o bind /var/www/html/webapp/pub/media   /home/sftpuser/uploadfiles/

This will be temporary and permission will reset after reboot. To make it permanent, you need to edit the fstab file as follows:

sudo vim /etc/fstab

Add the following line to file.

/var/www/html/webapp/pub/media      /home/sftpuser/uploadfiles/   none    bind    0

Save and exit the file. Try using your favorite SFTP client and log in as a sftpuser. You should be able to see the media folder contents.

After Directory Mount
After Directory Mount

That’s it for today. You should have by now learned how to configure and verify a Jail SFTP user. Feel free to ask any questions you have in the comments below.

Darshana
Hey! I'm Darshana, a Linux / DevOps Engineer and also a contributor to FOSS Linux. I enjoy working on various kind of Linux distributions and cloud technologies. During my free time, I love to swim and hike across nature trails. Linux is my love and I'm here to share all my learnings with all of you! Hope you enjoyed reading my article.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

STAY CONNECTED

23,661FansLike
359FollowersFollow
16SubscribersSubscribe

LATEST ARTICLES

How to install Lightworks on Ubuntu

Even though Linux may not get a native installer of video editing software like Adobe Premiere or Final Cut Pro, that doesn't mean there are no industry standards tools available. Lightworks is non-linear editing (NLE) video mastering app for Windows, Linux, and macOS. Installing it on Ubuntu is simple due to deb package availability.

How to install DaVinci Resolve on Fedora

Davinci Resolve is a professional application used for color correction, video editing, visual effects, and motion graphics. It is one of the extensively used software by movie industries located in Hollywood.

The 10 Best Programming Languages for Hacking

One of the significant entities we have in Cyber Security is Ethical Hacking (ETH). It is the process of detecting and finding flaws or vulnerabilities in a system that a hacker would exploit.

5 Ways to Open a Terminal in Ubuntu

Even though Ubuntu supports many applications with amazing Graphical User Interfaces (GUI), there are always reasons why users prefer using the Terminal to perform different tasks.

How to install Wine on Fedora Workstation

Linux distributions are becoming more and more popular every day, and Fedora Workstation is not left behind. This popularity brings forth the need to run Windows applications on Linux distros like Fedora. Windows has quite some excellent Software that is not available for Linux.

How to download and install iTunes on Linux

iTunes has always been a convenient platform for downloading, organizing, playing, and syncing media between your Apple devices. It also gives users a large pool of media to buy or stream millions of songs using Apple Music.

MUST READ

Linux is growing faster than ever. As per the latest report, there is a drop in the Windows 10 market share for the first time, and Linux's market share has improved to 2.87% this month. Most of the features in the list were rolled out in the Pop OS 20.04. Let's a detailed look into the new features, how to upgrade, and a ride through video.
Elementary OS 5.1 Hera has received a point release with a handful of new features and bug fixes, and we will be reviewing the significant changes in this article. For those new to elementary OS, this Ubuntu-based Linux distribution uses their inhouse built Pantheon desktop environment and AppCenter.

5 ways to send emails using the command-line in Linux

Did you master using the command-line in Linux? There is no limit to what one can do via the Linux Terminal. One of such things we are going to discuss today are methods of sending an email using the command-line.

How to clone hard disk on Linux using Clonezilla

Disk cloning refers to the process of copying data from one disk to another, thus creating a one-to-one copy of the drive. Technically, this process is possible using the copy-and-paste method.

5 Best Download Managers for Linux

We often need to download large files that can go corrupt due to various reasons such as slow internet or interrupted download. Using a broken downloaded file is not something one wants. Download managers make sure that the downloaded file maintains its integrity and also presents you with the ability to pause and resume downloads, provided the server supports it. When you are downloading a massive file, it's recommended to use a download manager.

Ubuntu MATE 20.04 LTS Review: Refinement at its Best

Ubuntu MATE 20.04 LTS was released a week ago after two years of development. Official updates and security patches will be provided until April 2025. I have installed it on my test laptop for a spin and here are my observations based on almost a week usage.