Create SFTP server with Multiple Jailed Users

To upgrade existing packages, run the following command. This does not install any new packages.

sudo apt update

Next install openssl-server. It is not installed by default on ubuntu desktop edition.

sudo apt install openssh-server

Create new SFTP Users group

sudo addgroup sftp_users

Create a new user account

sudo adduser newuser

Add this new user to the sftp_users group

sudo usermod -G sftp_users newuser

Restrict the user from accessing files outside the home directory

sudo chown root:root /home/newuser

Now, create new subdirectories within the user home directory. These are used for file transfer.

sudo mkdir /home/newuser/uploads

Grant the user ownership rights to the subdirectories.

sudo chown -R newuser:newuser /home/newuser/uploads

Then, allow read and write permissions to all files within the home directory.

sudo chmod -R 755 /home/newuser

n

Modify the SSH config. Open the ssd_config file in nano text editor

sudo nano /etc/ssh/sshd_config

Add the following lines to the bottom of the file

# Enable SFTP subsystemnSubsystem sftp internal-sftpnn# Match block for SFTP usersnMatch Group sftp_usersn    ChrootDirectory %hn    ForceCommand internal-sftpn    X11Forwarding non    PasswordAuthentication yesn    AllowTcpForwarding no

Below are the functions for each of the above configuration lines:

    n

  • Match Group sftpcorner: Match the user group sftpcorner.

    • n

  • ChrootDirectory %h: Restrict access to directories within the user’s home directory.

    • n

  • PasswordAuthentication yes: Enable password authentication.

    • n

  • AllowTcpForwarding no: Disable TCP forwarding.

    • n

  • X11Forwarding no: Don’t permit Graphical displays.

    • n

  • ForceCommand internal-sftp: Enable SFTP only with no shell access.

    • n

Now restart the ssh service for changes to take effect

sudo service ssh restart

Troubleshooting

sudo tail -f /var/log/auth.log | grep sftp

nn

Tip: ChrootDirectory

n

Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user’s home directory.

Leave a Reply

Your email address will not be published. Required fields are marked *