Jail SFTP-only user to homedir
Follow these instructions to create an SFTP-only user (no SSH access) and limit them to their home directory.
To limit a user to a part of the filesystem, you want to use
ChrootDirectory
. The given directory must be root:root
owned, and
the user will be able to read that directory. So you could use /home
for example, but then the user can see which users exist on the
system. You may or may not want this.
Because I want the SFTP user to be completely isolated in their own little corner, I create a per-user chroot directory.
mkdir /home/henk # root-owned, for chroot
adduser --home /home/henk/henk --shell /bin/false henk
So the real home is nested in the fake home which is used for chrooting.
In /etc/ssh/sshd_config
add:
Subsystem sftp internal-sftp
Match User henk
ChrootDirectory /home/henk
ForceCommand internal-sftp -d henk
PermitTTY no
Test the SSH configuration so you don't lock yourself out (...) Also
note that everything after the Match User henk
statement only
applies to the user henk. You have been warned.
sshd -t
systemctl restart ssh
And that should be all:
$ sftp henk@rpi
...
henk@rpi's password:
Connected to rpi.
sftp> pwd
Remote working directory: /henk
sftp> cd /
sftp> ls
henk
sftp>
$ ssh henk@rpi
henk@rpi's password:
PTY allocation request failed
This service allows sftp connections only.
Shared connection to rpi closed.
Perfect, they can access their home directory and nothing else.
🗣 Comments