Restrict a user’s SFTP access (chroot)

Open SSH helps you to realize a restricted access because it can be useful to prevent a user from attaching system folders other than your personal folder.

OpenSSH

OpenSSH includes the function ChrootDirectory since OpenSSH 4.9 version, the following command can install OpenSSH if it is not already integrated to your system :

Please take into account that the following modifications allow the user to a restricted access in the assigned SFTP folder and deprives him of his right to connection in SSH


User rights

Now we can :
– create a group for restricted users,
– create our restricted user,
– change the configuration of his home folder (it must belong to root to be chrooted) and its content :


Chroot configuration

All there’s left is to configure OpenSSH by editing its configuration file /etc/ssh/sshd_config :

Definition of the group to whom restriction is applied.

Definition of the restriction file, that is the home folder of each concerned users.

Disable X11Forwarding.

Disable TCPForwarding.

The service must be restarted :

It may be useful to disable the restriction for a particular user via the following configuration :