Ubuntu SSH internal-sftp Subsystem Explained

This article explains the internal-sftp subsystem within the Ubuntu Linux SSH server configuration. You will learn what this subsystem is, how it differs from the traditional external SFTP server, why it is preferred for securing user environments, and how to configure it on your Ubuntu system to restrict users to their home directories.

What is the internal-sftp Subsystem?

In the OpenSSH server (sshd) on Ubuntu, the SFTP (Secure File Transfer Protocol) service is defined as a subsystem. Historically, SSH handled SFTP connections by launching an external binary, typically located at /usr/lib/openssh/sftp-server.

The internal-sftp subsystem is an alternative implementation. Instead of launching an external program, it runs the SFTP service directly inside the already-running sshd process. This in-process execution provides significant security and administrative advantages.

Key Advantages of internal-sftp

1. Simplified Chroot Jails

When you restrict a user to a specific directory (known as a “chroot jail” using the ChrootDirectory directive), the SSH server isolates them from the rest of the filesystem. * If you use the external sftp-server binary, you must copy that binary, its dependent system libraries, and /dev nodes into the chroot directory so it can run. * If you use internal-sftp, no external files are required. Because the code runs inside the main sshd process, it already has the necessary resources loaded, allowing you to easily chroot users into completely empty directories.

2. Enhanced Security

Using internal-sftp allows system administrators to completely disable shell access (like bash or sh) for file-transfer users. By combining it with the ForceCommand internal-sftp directive, the user is strictly limited to file transfer operations and cannot execute arbitrary terminal commands on the Ubuntu server.

3. Performance and Efficiency

Because it does not require the operating system to fork a new process and execute an external binary for every SFTP session, internal-sftp uses fewer system resources and initiates connections slightly faster.

How to Configure internal-sftp on Ubuntu

To configure the internal SFTP subsystem, you must edit the SSH daemon configuration file. Follow these steps to set up a secure, chrooted SFTP environment:

1. Open the SSH configuration file with root privileges:

   sudo nano /etc/ssh/sshd_config

2. Locate the line defining the SFTP subsystem. By default, it often looks like this:

   Subsystem sftp /usr/lib/openssh/sftp-server

3. Change it to use the internal subsystem:

   Subsystem sftp internal-sftp

4. To restrict a specific group of users (for example, a group named sftp-only) so they can only use SFTP and are locked to their home directories, add the following block to the end of the file:

   Match Group sftp-only
       ChrootDirectory %h
       ForceCommand internal-sftp
       AllowTcpForwarding no
       X11Forwarding no

   (Note: %h represents the user’s home directory. Ensure the home directory is owned by root and not writable by any other user, which is a strict requirement for SSH chroot environments).

5. Save the file and restart the SSH service to apply the changes:

   sudo systemctl restart ssh