sftp with restricted folder


Vinh Nguyen


April 13, 2011

I recently needed to set up an ftp server (or sftp server) that allows the user to transfer files. I had some restrictions:

  1. The account cannot have ssh access since I don't want an unauthorized person to run jobs on the server.
  2. The account needs to be restricted to a single directory. I don't want the account to have access to all files on the server.

I first followed this guide to get proftpd up with an account. However, I kept getting errors trying to log in using Nautilus or Filezilla. The error came from PASV mode, which I think stems from a firewall/NAT issue. I next tried this to use vsftpd. Still no go (same error).

I decided to use sftp since I know for sure ssh works and that it's more secure. Now that I think about it, none of my server has an ftp server running since sftp is more secure and Nautilus and Filezilla supports the sftp protocol.

From this post, I re-discovered rssh and the native support from recent versions of openssh. The "match user" method for openssh and the rssh method did not work for me. I finally stumbled on this post that made things work.

sudo apt-get install openssh ## this is already installed for me
## modify /etc/ssh/sshd_config
# Use the following line to *replace* any existing 'Subsystem' line
Subsystem sftp internal-sftp

# These lines must appear at the *end* of sshd_config
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

## in shell
sudo groupadd sftponly
sudo useradd newuser
sudo passwd newuser ## set password
sudo usermod -g sftponly -s /bin/false -d /home/newuser newuser
sudo chown root:root /home/newuser
cd /home/newuser
sudo mkdir upload ## upload files in here
sudo chown newuser:newuser upload
sudo /etc/init.d/ssh restart

Now, ssh with the newuser should not work, and sftp (via command line, nautilus, or filezilla) should only access one location.

Note that /home/newuser is own by root, so newuser can't do much in there. Create a directory upload, and make newuser the owner.