SFTP Chroot on CentOS 6.5

This is to ensure a secure file transfer to users.

1. Create a group called “sftponly” or you can name your group to your desired name.

groupadd sftponly

2. Create a user for sftp and assign a password. I will create “user1” as my first user in sftp.

useradd user1
passwd user1

3. Add the user to “sftponly” group.

usermod -aG sftponly user1

4. Modify the SSH daemon configuration to limit a group to sftp only.

vi /etc/ssh/sshd_config
#Locate the subsystem and replace it to the below.
Subsystem       sftp    internal-sftp
#Add the following lines below.
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no

5. Reload ssh deamon.

service sshd reload

6. Create a user directory where user1 can upload the files.

sudo -u user1 mkdir -pv /home/user1/upload
chown root. /home/user1
chmod 755 /home/user1
chgrp -R sftponly /home/user1

7. Tell SELinux that we want to upload files via SFTP to a chroot as it is read-only by default.

setsebool -P ssh_chroot_rw_homedirs on

8. Now try to console your sftp server to other linux machine. You can also use filezilla for windows to test.

sftp user1@<yoursftpserver>

Leave a Reply