This situation might face a lot of us, if you have a certain file you want to share on your system using SFTP, but you don’t want that user to be able to:
- login via SSH and run any commands
- limit his access to a certain folder only
This can be done by what’s called chrooting.
To do this in Ubuntu (and can be applied to other Linux distros as well), follow the following steps:
- Create a user, let’s say his name is “external” for example
- Create a directory that’s writable ONLY by user root and group root “sudo mkdir /shared”
- open /etc/ssh/sshd_config for editing “sudo vi /etc/ssh/sshd_config”
- Comment the following line: “Subsystem sftp /usr/libexec/openssh/sftp-server” and add this section instead “Subsystem sftp internal-sftp”
- Add the following lines immediately after it, then save and exit:
Match User external
- Restart the ssh service: “sudo /etc/init.d/ssh restart”
Now we’re done, note that this can be applied to groups as well, not just users.
As a test, first of all try using sftp and navigate to any folder other than /shared, e.g. /etc:
Connected to myserver.
sftp> cd /etc
Couldn’t canonicalise: No such file or directory
Test Successful! You are jailed in the /shared folder and can’t navigate to anywhere else on the server
Second, try using ssh to connect using that user:
This service allows sftp connections only.
Great! Everything is working now perfectly, Enjoy!