How to Configure SFTP User with Jailkit Chroot for Specific Directory Access on Amazon EC2 CentOS


4 views

When managing multiple websites on a single EC2 instance, we often need to grant third-party developers restricted SFTP access to their designated project directory while preventing access to other sensitive areas. Here's how to properly implement this:


# Install required packages
sudo yum install -y openssh-server jailkit


# Create new system user without shell access
sudo useradd -d /var/www/html/website_abc -s /usr/sbin/nologin adeveloper
sudo passwd adeveloper  # Set a strong password


# Initialize the chroot environment
sudo jk_init -v -j /home/chroot/ website_abc

# Create necessary directories
sudo mkdir -p /home/chroot/var/www/html
sudo ln -s /var/www/html/website_abc /home/chroot/var/www/html/website_abc

Edit /etc/ssh/sshd_config:


Match User adeveloper
    ChrootDirectory /home/chroot/
    ForceCommand internal-sftp
    PasswordAuthentication yes
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no


# Set proper ownership
sudo chown -R root:root /home/chroot/
sudo chown -R adeveloper:adeveloper /var/www/html/website_abc

# Restrict parent directory
sudo chmod 750 /var/www/html


# Generate new key pair (on your local machine)
ssh-keygen -t rsa -b 4096 -f adeveloper_key

# Install public key on server
sudo mkdir -p /home/chroot/home/adeveloper/.ssh
sudo cp adeveloper_key.pub /home/chroot/home/adeveloper/.ssh/authorized_keys
sudo chown -R adeveloper:adeveloper /home/chroot/home/adeveloper/.ssh
sudo chmod 700 /home/chroot/home/adeveloper/.ssh
sudo chmod 600 /home/chroot/home/adeveloper/.ssh/authorized_keys


# Restart SSH service
sudo systemctl restart sshd

# Test connection
sftp -i adeveloper_key adeveloper@your-ec2-ip

If you encounter permission denied errors:


# Check directory ownership in chroot
sudo ls -la /home/chroot/

# Verify SELinux context
sudo restorecon -Rv /home/chroot/

For debugging SFTP connections:


sudo tail -f /var/log/secure

When collaborating with third-party developers on a multi-website EC2 instance, security becomes paramount. The primary challenge is granting SFTP/FTP access to /var/www/html/website_abc while preventing access to sibling directories like /var/www/html/website_xyz.

First, create a dedicated user account with restricted access:

sudo adduser adeveloper
sudo passwd adeveloper  # Set a strong password

Set up proper ownership while maintaining existing 777 permissions for DocumentRoot:

sudo chown -R adeveloper:adeveloper /var/www/html/website_abc
sudo chmod 755 /var/www/html

Edit the SSH configuration to restrict the user to their home directory:

sudo nano /etc/ssh/sshd_config

Add these lines at the end:

Match User adeveloper
    ChrootDirectory /var/www/html/website_abc
    ForceCommand internal-sftp
    AllowTcpForwarding no
    X11Forwarding no

Then restart SSH:

sudo systemctl restart sshd

For FTP-specific solutions, consider ProFTPD with mod_sftp:

sudo yum install proftpd proftpd-utils mod_sftp

Configure /etc/proftpd.conf:

<VirtualHost 0.0.0.0>
    ServerName "website_abc"
    DefaultRoot ~
    <Limit WRITE>
        DenyAll
    </Limit>
    <Directory /var/www/html/website_abc>
        <Limit WRITE>
            AllowUser adeveloper
        </Limit>
    </Directory>
</VirtualHost>

Never share your AWS-provided private key. Instead:

sudo -u adeveloper ssh-keygen -t rsa -b 4096

This generates a new key pair specifically for the developer.

Test the setup by attempting to access restricted areas:

sftp adeveloper@your-ec2-ip

Then try:

cd ../website_xyz

The connection should terminate if properly configured.

Consider implementing:

  • IP-based restrictions in /etc/hosts.allow
  • Two-factor authentication
  • Connection time limits