Last Updated: February 25, 2016
· sean9999

creating a jailed SFTP users on Debian

Every so often I have to create a jailed SFTP user account for one of our servers at work, so a 3rd party developer can hack away on WordPress or whatever, without being tempted to access our codebase for other projects.

Here's what you do:

  1. choose your jail. I chose /jail
  2. groupadd sftp-only ( first time only )
  3. useradd -g sftp-only -d /jail --shell /sbin/nologin bob
  4. htpasswd bob
  5. add this to /etc/ssh/sshd_config:
Match group sftp-only
  ChrootDirectory %h
  AllowTCPForwarding no
  X11Forwarding no
  ForceCommand internal-sftp
  PubkeyAuthentication no
  RSAAuthentication no
  PasswordAuthentication yes 
  1. chown root:root /jail
  2. chown root:root /jail/bob
  3. chmod 755 /jail/bob
  4. mkdir /jail/bob/fylez
  5. chown bob:sftp-only /jail/bob/fylez
  6. service sshd restart


2 Responses
Add your response

If you're going to be jailing multiple users, you can modify the sshd_config Match block to:

Match group sftp-only

Actually, that's probably how I would do it even with one user, since you're already creating the stfp-only group.

over 1 year ago ·

good point. i've updated the code. Note to other readers, I previously used Match user, which would require more manual maintenance work as users come and go

over 1 year ago ·