Restrict Ubuntu SSH Users to SFTP Chroot Jail

This guide explains how to secure your Ubuntu Linux server by restricting specific users to SFTP access only and confining them to a designated directory using a chroot jail. By implementing these restrictions, you prevent users from accessing the SSH command-line interface or viewing other parts of the server’s filesystem, enhancing overall system security.

Step 1: Create a Dedicated SFTP Group and User

To manage restricted users easily, create a dedicated group for SFTP-only access.

Run the following command to create the group:

sudo groupadd sftp_users

Next, create a new user assigned to this group. Disallow shell access by setting the shell to /usr/sbin/nologin:

sudo useradd -g sftp_users -d /incoming -s /usr/sbin/nologin -m sftpuser

Set a secure password for the newly created user:

sudo passwd sftpuser

Step 2: Configure the Chroot Directory

The SSH daemon requires strict ownership and permissions for the chroot jail directory. The chroot directory itself must be owned by root and cannot be writable by any other user or group.

Create the directory structure for the chroot jail:

sudo mkdir -p /var/sftp/sftpuser/incoming

Set the ownership of the root chroot directory to root:

sudo chown root:root /var/sftp/sftpuser
sudo chmod 755 /var/sftp/sftpuser

Set the ownership of the incoming directory (where the user will actually upload files) to the SFTP user:

sudo chown sftpuser:sftp_users /var/sftp/sftpuser/incoming

Step 3: Configure the SSH Daemon

You must configure OpenSSH to force the sftp_users group into SFTP-only mode and apply the chroot jail.

Open the SSH configuration file in a text editor:

sudo nano /etc/ssh/sshd_config

Scroll to the bottom of the file and append the following configuration block:

Match Group sftp_users
    ChrootDirectory /var/sftp/%u
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no
    PasswordAuthentication yes

Configuration Breakdown:

• Match Group sftp_users: Applies these rules only to users in the sftp_users group.
• ChrootDirectory /var/sftp/%u: Confines the user to their specific directory (%u dynamically represents the username).
• ForceCommand internal-sftp: Forces the use of the in-process SFTP server and disables command-line execution.
• X11Forwarding no & AllowTcpForwarding no: Prevents port forwarding and GUI redirection.

Save and close the file (in Nano, press Ctrl+O, Enter, then Ctrl+X).

Step 4: Test and Restart the SSH Service

Before restarting the SSH service, test the configuration file for syntax errors:

sudo sshd -t

If the command returns no output, the configuration is valid. Restart the SSH service to apply the changes:

sudo systemctl restart ssh

Step 5: Verify the Configuration

Verify the setup by attempting to log in via standard SSH. The connection should be immediately closed:

ssh sftpuser@your_server_ip

Expected output: Connection closed by foreign host (or access denied).

Now, test the connection using an SFTP client:

sftp sftpuser@your_server_ip

Once connected, verify you are restricted to the chroot jail. Attempting to navigate up the directory tree (cd ..) should keep you restricted to the root folder, and you should only be able to write files inside the /incoming directory.