Setup Jailed SFTP User Accounts on Linux

Create a new SFTP Users Group. Replace sftpusers with your desired group name.

$ sudo addgroup sftpusers

Create a new user account. Replace user with your desired user name.

$ sudo adduser user

Enter the user’s full name, password to continue.

Then, add the user to the SFTP group.

$ sudo usermod -G sftpusers user

Restrict the user from accessing files outside the home directory.

$ sudo chown root:root /home/user

Now, create new subdirectories within the user home directory. These are used for file transfer.

$ sudo mkdir /home/user/uploads  

Grant the user ownership rights to the subdirectories.

$ sudo chown -R user:user /home/user/uploads

Then, allow read and write permissions to all files within the home directory.

$ sudo chmod -R 755 /home/user/  

Configure SFTP

With the sftp group and user accounts created, enable SFTP in the main SSH configuration file.

Using an editor of your choice, open the file /etc/ssh/sshd_config.

$ sudo vim /etc/ssh/sshd_config

Add the following lines to the end of the file. Replace sftpusers with your actual sftp group.

Match Group sftpusers
ChrootDirectory %h
PasswordAuthentication yes
AllowTcpForwarding no
X11Forwarding no
ForceCommand internal-sftp

Save and close the file.

Below are the functions for each of the above configuration lines:

• Match Group sftpusers: Match the user group sftpusers.
• ChrootDirectory %h: Restrict access to directories within the user's home directory.
• PasswordAuthentication yes: Enable password authentication.
• AllowTcpForwarding no: Disable TCP forwarding.
• X11Forwarding no: Don't permit Graphical displays.
• ForceCommand internal-sftp: Enable SFTP only with no shell access.

Also, confirm if SFTP is enabled (it is by default). The line below should be uncommented in /etc/ssh/sshd_config:

# override default of no subsystems
Subsystem sftp  /usr/lib/openssh/sftp-server

Restart the SSH server for changes to take effect.

$ sudo systemctl restart sshd