This guide will help you configure OpenSSH to restrict users to their home directories. Please note that these instructions are not intended to support shell logins; any user accounts modified in accordance with this guide will have the ability to transfer files, but not the ability to log into a remote shell session.

Configure OpenSSH

Edit the /etc/ssh/sshd_config file, making sure the following line is present. If your system's file has a line that begins with "Subsystem sftp" modify it to resemble the following:

File: /etc/ssh/sshd_config

Subsystem sftp internal-sftp

Continue to add the following block to the end of the file:

File: /etc/ssh/sshd_config

Match group filetransfer
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

Restart OpenSSH as follows:

sudo /etc/init.d/ssh restart

Create User Group

The above config changes make it possible to restrict all users who are included in a user group called filetranser to only be able to use SFTP and whol'll be chroot'd to their home folder.

So lets create this new user group:

sudo addgroup filetransfer

That's it for now. We are going to use this specifically for users created for websites. You can see how this works by seeing the page on Website User Management.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License