How to Restrict SFTP Users to Home Directories Using chroot Jail

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Use our Linode referral link if you plan to buy VPS (it starts at only $10/month).
  4. Support us via PayPal donate - Make a Donation
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Senthil Kumar

A Linux Consultant, living in India. He loves very much to write about Linux, Open Source, Computers and Internet. Apart from that, He'd like to review Internet tools and web services.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

4 Responses

  1. Robert Giordano says:

    On my freeBSD server, everything works fine until I try to rsync.

    If I do: sftp user@ip.address, I get “Connected to ip.address” like in your article above.

    But if I do: rsync -avz user@ip.address/ /path/to/local/backup, then I get the following:

    protocol version mismatch — is your shell clean?
    (see the rsync man page for an explanation)
    rsync error: protocol incompatibility (code 2) at /SourceCache/rsync/rsync-42/rsync/compat.c(61) [receiver=2.6.9]

    Any ideas? Thanks

    • Ravi Saive says:

      @Robert,

      I think its due to different versions of rsync installed on servers, make sure you have same version of rsync or may be different flavors of Linux distros used here, you need to check..

  2. Lenny says:

    You’re better of creating a SFTP root as /home/sftproot and then putting your SFTP users home directories under /home/sftproot/home.
    Then when that user logs in they’ll automatically get put into their home directory e.g. /home/lenny within the chroot instead of the root directory of the chroot. You can then also restrict permissions so that within the chroot /home directory users can’t see what other user directories exist, chmod 0751
    You can also configure rsyslog to add a socket to /home/sftproot/dev/ so ssh logs all transfers to syslog.

  3. Jalal Hajigholamali says:

    Hi,
    Very nice article…
    Thanks a lot

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

Join Over 300K+ Linux Users
  1. 177,942
  2. 8,310
  3. 37,548

Are you subscribed?