Blog / VPS / Ubuntu Server / DevOPS

How to Restrict sFTP User Access to a Specific Directory on Ubuntu Linux

Ever needed an sFTP user who can only see one folder and nothing else? Let’s dive into a straightforward, no-fluff tutorial to create a locked-down sFTP user in your Linux system. With just a few commands, we’ll make sure your user is securely confined to a specific directory using chroot. Let’s jump in and make it happen!

Step 1: Create a New sFTP User

First things first, let's create our special user, testuser.

sudo adduser testuser

This command sets up your new user and lets you assign a password. Follow the prompts and complete the setup!

Step 2: Prepare SSH Access for the User

Next, we’ll set up a secure .ssh directory for testuser so they can authenticate via SSH.

sudo mkdir -p /home/testuser/.ssh
sudo cp /home/testuser/.ssh/authorized_keys /home/testuser/.ssh/
sudo chown -R testuser:testuser /home/testuser/.ssh
sudo chmod 700 /home/testuser/.ssh
sudo chmod 600 /home/testuser/.ssh/authorized_keys

This process configures the user's SSH directory permissions, keeping everything nice and secure!

Step 3: Configure SSHD to Lock the User in a Specific Directory

Now it’s time for the magic! Open up the SSH configuration file:

sudo vi /etc/ssh/sshd_config

Scroll to the bottom and add these lines:

Match User testuser
    ChrootDirectory /juniors
    ForceCommand internal-sftp

This tells the system that whenever testuser connects, they’ll be locked into the /juniors directory, with only sFTP commands allowed. No wandering into other parts of the system!

Step 4: Set Permissions on the Restricted Directory

To finish off, we need to ensure /juniors is owned by root and has the right permissions.

sudo chown root:root /juniors
sudo chmod -R 755 /juniors

Step 5: Restart SSH Service

Finally, let’s restart the SSH service to make our changes take effect.

sudo systemctl restart sshd

And that’s it! Now, testuser can connect via sFTP but will be locked inside /juniors. Any attempts to navigate outside this directory will be blocked! Wrapping Up

With these simple steps, you’ve created a restricted FTP user who can access only what you allow. This is a great setup for handling FTP accounts for clients or securing sensitive data.