How to configure chrooted users with SFTP-only access.
Environment
- Red Hat Enterprise Linux
Issue
- Learn how to set up chrooted users with SFTP-only access, using SSH keys.
Resolution
Create a chroot sftp user.
# useradd testuser
Create an sftp group.
# groupadd sftpusers
Add the chroot user to the sftp group.
# usermod -aG sftpusers testuser
Make a root directory for the chroot users.
# mkdir /sftp
Create the user's chroot directory.
# mkdir /sftp/testuser
Configure the correct permissions and ownership for the chroot directory.
# chown testuser:testuser /sftp/testuser
# chmod 700 /sftp/testuser
Create an .ssh
directory with an authorized_keys
file in the user's /home/directory
.
# mkdir /home/testuser/.ssh
# touch /home/testuser/.ssh/authorized_keys
# chmod 700 /home/testuser/.ssh
# chmod 600 /home/testuser/.ssh/authorized_keys
Copy and paste the contents of the .ssh/id_rsa.pub
file from the client
into the authorized_keys
file that you just created.
Configure the correct ownership of the .ssh
directory and the authorized_keys
file.
# chown testuser:testuser /home/testuser/.ssh
# chown testuser:testuser /home/testuser/.ssh/authorized_keys
Change the Subsystem
line in the /etc/ssh/sshd_config
file.
Subsystem sftp internal-sftp
Add a Match
block at the end of the /etc/ssh/sshd_config
file.
Match Group sftpusers
ChrootDirectory /sftp/
ForceCommand internal-sftp -d /%u
Restart the sshd service.
Red Hat Enterprise Linux 6
# service sshd restart
Red Hat Enterprise Linux 7 or newer
# systemctl restart sshd
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments