Chroot sftp user/group directory.

This is a simple reference to chroot a sftp user or group to a folder – usually the web server folder. It is not covered “full” chrooting.

Edit /etc/ssh/sshd_config (/etc/sshd_config on some distributions) and set the following options:

#Subsystem sftp internal-sftp
#In some cases you might need to uncomment the line above and comment existing #Susbsytem option 
#Match user sftp-user
Match group sftp
ChrootDirectory /var/www
ForceCommand internal-sftp
AllowTcpForwarding no

Be sure to place the “Match” directive at the end of the file. This tells OpenSSH that all users in the sftp group are to be chrooted to their home directory (which %h represents in the ChrootDirectory command – you can use it instead of “/var/www” in this case), or any other you specify.

Don’t leave two or more Subsytem sftp directives at the same time – use only one. Otherwise you wont be able to access the server from ssh!

For any users that you wish to chroot, add them to the sftp group by using:

# usermod -G sftp paul
# usermod -s /bin/false paul
# chown root:root /home/paul
# chmod 0755 /home/paul

If you still have problems it is most probably because of directory permissions or/and ownership – you can try this:


sudo chown root /var/www
sudo chmod go-w /var/www
sudo mkdir /var/www/writeable
sudo chown bob:sftponly /var/www/writeable
sudo chmod ug+rwX /var/www/writeable

Be very careful as changes to sshd_config might leave you without ssh and sftp access to the server!!!