Question

Chroot not restricting user

Hello - I am trying to create an account on my droplet for SFTP usage only, and for which the user (with account <useraccount>)can only access a specific sub folder and its children. My droplet is running Ubuntu 16.04 with a LAMP stack. I have taken the following steps:

  • created <useraccount> and given it the home directory to which it will need access;
  • assigned <useraccount> to a specific user group <usergroup>;

-set up root ownership for the parent of the home directory and all its parents, as well as 755 permissions;

  • set up <useraccount> ownership of the home directory and all the files and directories below it, with 755 permissions.

  • Inserted the following at the end of/etc/ssh/sshd_config:

Subsystem sftp internal-sftp Match USER <useraccount>:<usergroup> ChrootDirectory <home directory> PasswordAuthentication yes
ForceCommand internal-sftp
X11Forwarding no AllowTcpForwarding no PermitTunnel no AllowAgentForwarding n

  • When I test this account with FileZilla, I can log in via SFTP and FileZilla does go to the correct folder. However, there is no restriction to that folder and its children. Instead, I can navigate to any other folder within the droplet.

  • Can someone advise what I may be doing wrong and how I can restrict access to the home directory and its children?

Thanks,

Michael Trotz

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hi @michaeltrotz,

From what you’ve described, everything seems to be configured properly. I’ll add one small detail, try to set the ChrootDirectory to be with permission 700 rather than 755.

Additionally, you might want to try and change the line in your sshd_config

Match USER <useraccount>:<usergroup>

with

Match Group <usergroup>

Don’t forget to restart your sshd service

service sshd restart

Regards, KDSys