# Chrooted SFTP

OpenSSH allows SSH/SFTP users to connect to the whole system by default. In many cases this is not the expected behavior: users should be relegated to the home their own home directory only.

Sometimes this is called “Chrooted SFTP”.

As we discussed before, SFTP users can see the whole system by default:

# sftp andrea@localhost
Connecting to localhost...
sftp> pwd
Remote working directory: /home/andrea


Users can be confined changing the SFTP back-end:

# /etc/ssh/sshd_config
[...]
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
[...]


Users part of the webmaster group should only access to the webserver directory; other users should be restricted to their own home directory:

# /etc/ssh/sshd_config
[...]
Match User webmaster
ChrootDirectory /var/www/html
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
Match Group users
ChrootDirectory /home
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
[...]


Now users are restricted and cannot leave the configured directory:

andrea@localhost's password:
sftp> pwd
Remote working directory: /


Enabling a restricted SSH is more complicated: SSH needs many components like BASH, libraries and so on. The reason is simple: if a user enters to a confined environment, it cannot access components outside the confined environment. All required components must be copied to the path where users are “chrooted”.