When working with SFTP on Ubuntu, you might need to restrict users to specific directories - similar to ProFTPD's DefaultRoot functionality. Unlike FTP servers, SFTP operates through SSH, requiring different configuration approaches.
The most effective method involves configuring OpenSSH's built-in chroot capability. Edit your SSH configuration file:
sudo nano /etc/ssh/sshd_configAdd these lines at the end of the file:
Match User username
ChrootDirectory /home/username/music
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding noFor chroot to work properly, the target directory must:
- Be owned by root (not the user)
- Have correct permissions (755)
sudo mkdir -p /home/username/music
sudo chown root:root /home/username/music
sudo chmod 755 /home/username/musicSince the chroot directory must be owned by root, create a subdirectory for user files:
sudo mkdir /home/username/music/uploads
sudo chown username:username /home/username/music/uploadsAfter making changes, restart the SSH service:
sudo service ssh restartFor more complex scenarios, consider using rssh:
sudo apt-get install rssh
sudo nano /etc/rssh.confAdd configuration:
allowscp
allowsftp
user=username:022:00001:/home/username/musicVerify your setup using this command:
sftp username@localhostYou should be restricted to the specified directory and its subdirectories.
If encountering problems, check:
- SSH logs:
/var/log/auth.log - Directory permissions
- SELinux contexts (if enabled)
sudo tail -f /var/log/auth.logWhen managing SFTP servers, administrators often need to restrict users to specific directories - similar to how ProFTPD's DefaultRoot directive works. For SFTP sessions using OpenSSH, we need a different approach since it doesn't use the same configuration file.
The modern way to handle this is through OpenSSH's built-in chroot capability. Here's how to implement directory restrictions for SFTP users:
# Edit sshd_config
Match Group sftpusers
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Let's walk through a complete setup where we want SFTP users to be restricted to their respective ~/data subdirectory:
# Create user with specific home structure
sudo useradd -m -G sftpusers john
sudo mkdir /home/john/data
sudo chown john:john /home/john/data
sudo chmod 700 /home/john
# Configure sshd_config (usually at /etc/ssh/sshd_config)
Subsystem sftp internal-sftp
Match Group sftpusers
ChrootDirectory /home/%u
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
PermitTunnel no
The chroot directory must be owned by root and not writable by the user. The actual data directory inside needs proper user permissions:
# Correct permission example
sudo chown root:root /home/john
sudo chmod 755 /home/john
sudo chown john:john /home/john/data
For more complex scenarios where you need to map directories outside the home folder:
# Create the chroot structure
sudo mkdir -p /sftp/chroot/home/john
# Create symlink to the actual data location
sudo ln -s /var/data/john /sftp/chroot/home/john/data
# Then configure chroot to point to /sftp/chroot
Match User john
ChrootDirectory /sftp/chroot
ForceCommand internal-sftp
After making changes, always test and restart the service:
sudo sshd -t # Test configuration
sudo systemctl restart ssh