How to create a jailed SFTP user (chroot jail)

Important note for AWS Marketplace users:

If you haven't enabled the root account on your Marketplace server, then you will need to run the below commands with sudo. The easiest way to do that is within a sudo shell and exit when you are finished. E.g. start with the following command:

sudo su

And when finished:


Here we go...

All TurnKey appliances come with SFTP pre-configured and enabled. However, by default all users have read access to the whole filesystem. So long as you don't mind them reading files, that may not be an issue as by default new non-privileged users do not have write access anywhere except their home directory (usually /home/USERNAME), plus anywhere you explicitly give them write access. Addtionally, as SFTP is provided by SSH, by default they can also log into an SSH shell. What they can do will again be limited, but this is still possibly not desirable.

So in a scenario where you only want SFTP users to log in via SFTP (and not SSH) and you want them locked in their own directory (i.e. known as a "chroot jail") then you can configure SSH/SFTP to do that.

Below I have given the commands required. They are in script form so can be copy/pasted to the commandline. Please note, I have tried to make the commands idempotent (i.e. won't break things if you run them multiple times) but I haven't extensively tested it. So if you rerun parts of it, there is a chance you may have unexpected results. The user related commands can be rerun for a new user (changing the value of NEW_USER), but adding the sftp_users group and the SSH config, should only be done once. If you need to tweak the SSH config settings, I recommend that you edit the config file manually.

Run Once

Create the required group:

groupadd sftp_users

Run Once per New User

Add a new user. I am using the name "newuser" here but you can use whatever name you like, although I strongly suggest you use only lowercase characters with no spaces or special characters. If you wish to add additional users, then change the value of "NEW_USER" (in the first line below):

useradd -G sftp_users -s /sbin/nologin $NEW_USER
passwd $NEW_USER 

Once you have set a password for the new user and confirmed it, then complete creating the new user account:

mkdir -p /home/$NEW_USER/files
chown root:root /home/$NEW_USER
chown $NEW_USER:$NEW_USER /home/$NEW_USER/files
chmod 700 /home/$NEW_USER/files
usermod -d /files $NEW_USER

Run Once Only!

Next we need to reconfigure SSH/SFTP. To do that we need to edit the SSH config file (/etc/ssh/sshd_config). To make it easy, I have provided it in script form . Please note, this should only be done once.:

SEARCH="Subsystem sftp \/usr\/lib\/openssh\/sftp-server"
NEW_LINE="Subsystem sftp internal-sftp"

sed -i "/^$SEARCH/ s|^|#|" $CONF
sed -i "/$NEW_LINE/d" $CONF
sed -i "/$SEARCH/a\\$NEW_LINE" $CONF
if ! grep "Match Group sftp_users" $CONF >/dev/null; then
    cat >> $CONF <<EOF

Match Group sftp_users
  X11Forwarding no
  AllowTcpForwarding no
  ChrootDirectory /home/%u
  ForceCommand internal-sftp

Final step is restarting SSH:

service ssh restart

If you need to tweak your SSH settings further, please edit the config file manually using a text editor such as nano. E.g.:

nano /etc/ssh/sshd_config

The user will automatically sftp into their chrooted home (/home/user/files). They will be able to cd to the parent directory (/home/user) but won't have anything other than read access there (and can't browse any higher).

Additional notes: If you wish to allow your chrooted SFTP user a little more flexibility (e.g. allow scp and/or rsync), then instead of giving them a /sbin/nologin shell, install rssh (apt-get install rssh) and give them a /usr/bin/rssh shell.