DigitalOcean

Report this

What is the reason for this report?
Question

How to allow restriced SSH access to chroot jailed user

Posted on June 8, 2015
Security
Linux Commands
Configuration Management
System Tools
Server Optimization
Ubuntu
Saurabh Vashist

By Saurabh Vashist

A user was created and added in a group. The group has been chroot jailed in /var/www directory by adding following statements in sshd_config file:

Match group group_name
          ChrootDirectory %h
          X11Forwarding no
          AllowTcpForwarding no
          ForceCommand internal-sftp

While with above statements, the user is restricted in his home directory i.e. /var/www (home directory was designated while creating the user), the user is not yet able to login to terminal through SSH.

Now, it is required to allow this user to login to terminal through SSH (PuTTY) and be able to change his password. It is also required to restrict this user to only be able to change his password and not able to use any other command.

So finally, the user will be able to login to SFTP (WinSCP) & use it to upload his files and able to login to terminal through SSH (PuTTY) & change his password.

Can someone please advice necessary steps how to allow SSH access/login simultaneously along with SFTP access?

PS: The setting is required for Ubuntu!



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Ryan Quinn
Ryan QuinnDigitalOcean Employee badge
December 21, 2017

I am not sure if there is currently a good solution for this since a chrooted user would not have access to /etc/passwd /etc/shadow to be able to update passwords even if you add the passwd utility to their path. If the only need for ssh is for password changes, using ssh-keys would be a more secure option or you could set up something like webmin/usermin which can be restricted to allow users to perform password changes via a web interface.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.