How to Restrict sFTP User Access to a Specific Directory on Ubuntu Linux
Ever needed an sFTP user who can only see one folder and nothing else? Let’s dive into a straightforward, no-fluff tutorial to create a locked-down sFTP user in your Linux system. With just a few commands, we’ll make sure your user is securely confined to a specific directory using chroot. Let’s jump in and make it happen!
Step 1: Create a New sFTP User
First things first, let's create our special user, testuser.
sudo adduser testuser
This command sets up your new user and lets you assign a password. Follow the prompts and complete the setup!
Step 2: Prepare SSH Access for the User
Next, we’ll set up a secure .ssh directory for testuser so they can authenticate via SSH.
sudo mkdir -p /home/testuser/.ssh
sudo cp /home/testuser/.ssh/authorized_keys /home/testuser/.ssh/
sudo chown -R testuser:testuser /home/testuser/.ssh
sudo chmod 700 /home/testuser/.ssh
sudo chmod 600 /home/testuser/.ssh/authorized_keys
This process configures the user's SSH directory permissions, keeping everything nice and secure!
Step 3: Configure SSHD to Lock the User in a Specific Directory
Now it’s time for the magic! Open up the SSH configuration file:
sudo vi /etc/ssh/sshd_config
Scroll to the bottom and add these lines:
Match User testuser
ChrootDirectory /juniors
ForceCommand internal-sftp
This tells the system that whenever testuser connects, they’ll be locked into the /juniors directory, with only sFTP commands allowed. No wandering into other parts of the system!
Step 4: Set Permissions on the Restricted Directory
To finish off, we need to ensure /juniors is owned by root and has the right permissions.
sudo chown root:root /juniors
sudo chmod -R 755 /juniors
Step 5: Restart SSH Service
Finally, let’s restart the SSH service to make our changes take effect.
sudo systemctl restart sshd
And that’s it! Now, testuser can connect via sFTP but will be locked inside /juniors. Any attempts to navigate outside this directory will be blocked! Wrapping Up
With these simple steps, you’ve created a restricted FTP user who can access only what you allow. This is a great setup for handling FTP accounts for clients or securing sensitive data.