How to configure chrooted users with SFTP-only access.

Solution Verified - Updated -


  • Red Hat Enterprise Linux


  • Learn how to set up chrooted users with SFTP-only access, using SSH keys.


Create a chroot sftp user.

# useradd testuser

Create an sftp group.

# groupadd sftpusers

Add the chroot user to the sftp group.

# usermod -aG sftpusers testuser

Make a root directory for the chroot users.

# mkdir /sftp

Create the user's chroot directory.

# mkdir /sftp/testuser

Configure the correct permissions and ownership for the chroot directory.

# chown testuser:testuser /sftp/testuser
# chmod 700 /sftp/testuser

Create an .ssh directory with an authorized_keys file in the user's /home/directory.

# mkdir /home/testuser/.ssh
# touch /home/testuser/.ssh/authorized_keys
# chmod 700 /home/testuser/.ssh
# chmod 600 /home/testuser/.ssh/authorized_keys

Copy and paste the contents of the .ssh/ file from the client into the authorized_keys file that you just created.

Configure the correct ownership of the .ssh directory and the authorized_keys file.

# chown testuser:testuser /home/testuser/.ssh
# chown testuser:testuser /home/testuser/.ssh/authorized_keys

Change the Subsystem line in the /etc/ssh/sshd_config file.

Subsystem   sftp    internal-sftp

Add a Match block at the end of the /etc/ssh/sshd_config file.

Match Group sftpusers
ChrootDirectory /sftp/
ForceCommand internal-sftp -d /%u

Restart the sshd service.

Red Hat Enterprise Linux 6

# service sshd restart

Red Hat Enterprise Linux 7 or newer

# systemctl restart sshd

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.