Locking down an sftp user on Debian

This always ends up being a bit tricky, and some guides I’ve found on the net differ slightly from what I’ve got here. This seems to work pretty well for me on Debian.

Enter the following into /etc/sshd/config to allow sftp and to lock a user into a specific chroot’ed directory:

Subsystem sftp /usr/lib/openssh/sftp-server

For each user you want to lock down, you’ll first need to add the user, set the shell to false so they can’t log in via ssh and then set their home directory to where you want them chroot’ed:

useradd jorbloggs
usermod -s /bin/false joebloggs 
usermod -d /srv/www/somehome/ joebloggs

Now just add a few details for the user to /etc/sshd/config:

Match User joebloggs
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory %h


The users home directory must be owned by root and only writable by root – bit weird, but you get odd auth messages and it doesn’t work otherwise. There’s probably a work-around for this, but for me it doesn’t really matter. If or when I do need a work around I’ll post it here. Feel free to leave comments with tips/suggestions!

Leave a Reply