Hello - I am trying to create an account on my droplet for SFTP usage only, and for which the user (with account <useraccount>)can only access a specific sub folder and its children. My droplet is running Ubuntu 16.04 with a LAMP stack. I have taken the following steps:

  • created <useraccount> and given it the home directory to which it will need access;
  • assigned <useraccount> to a specific user group <usergroup>;

-set up root ownership for the parent of the home directory and all its parents, as well as 755 permissions;

  • set up <useraccount> ownership of the home directory and all the files and directories below it, with 755 permissions.

  • Inserted the following at the end of/etc/ssh/sshd_config:

Subsystem sftp internal-sftp
Match USER <useraccount>:<usergroup>
ChrootDirectory <home directory>
PasswordAuthentication yes

ForceCommand internal-sftp

X11Forwarding no
AllowTcpForwarding no
PermitTunnel no
AllowAgentForwarding n

  • When I test this account with FileZilla, I can log in via SFTP and FileZilla does go to the correct folder. However, there is no restriction to that folder and its children. Instead, I can navigate to any other folder within the droplet.

  • Can someone advise what I may be doing wrong and how I can restrict access to the home directory and its children?

Thanks,

Michael Trotz

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Hi @michaeltrotz,

From what you’ve described, everything seems to be configured properly. I’ll add one small detail, try to set the ChrootDirectory to be with permission 700 rather than 755.

Additionally, you might want to try and change the line in your sshd_config

Match USER <useraccount>:<usergroup>

with

Match Group <usergroup>

Don’t forget to restart your sshd service

service sshd restart

Regards,
KDSys

Submit an Answer