Let’s consider a situation where you need to configure a secure FTP service in your Linux server without installing any new packages to the system. Easy way of achieving this scenario is by configuring a SFTP CHROOT service in your Linux system. By Default all Linux systems are pre configured with SSH service. There for you only need to edit the existing configuration for this purpose.

1) Modify “/etc/ssh/sshd_config” file to reflect bellow changes

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem       sftp    internal-sftp

2) Append bellow configurations to “/etc/ssh/sshd_config” depending on the need you have (group/user)

For Group:

Match Group sftp-users     # sftp-users is a group
ChrootDirectory %h  # %h -- the users home directory.
ForceCommand internal-sftp
AllowTcpForwarding no

For User:

Match User dave           # dave is a sftp user
ChrootDirectory %h     # %h -- the users home directory.
ForceCommand internal-sftp

3) Change the ownership of chrooted directory to root. Let’s assume user “dave” home directory is “/home/dave”,

chown root /home/dave

Above will make the /home/dave browsable to “dave” but he won’t have write permissions to the folder. In this case, we can make a folder within /home/dave and give write access to user. Unfortunately, this poses a security threat, as this makes a user from escalating their privileges and becoming root, escaping the chroot environment.  To over come this, follow bellow method,

mkdir /home/dave/doc
mkdir -p /sftp/users/dave/doc
mount --bind /sftp/users/dave/doc/ /home/dave/doc/
chown dave /sftp/users/dave/doc/

4) For group scenario, you have to add users to sftp user group

usermod -aG sftp-users dave

5) Make sure to set sftp users shell to “/usr/sbin/nologin” to prevent them from normal SSH access.

usermod -s /usr/sbin/nologin