When setting up secure file transfer on Linux servers, many sysadmins traditionally reached for rssh or scponly. However, these tools show their age:
- scponly hasn't seen updates since 2017, requiring full recompilation for configuration changes
- rssh has documented security vulnerabilities and its creator declared the project dead
The OpenSSH server (sshd) now includes robust features that make external tools unnecessary:
# Example sshd_config for chrooted SFTP
Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
PermitTunnel no
For production environments, consider these additional security measures:
# Directory structure setup
sudo mkdir -p /sftp/username/{uploads,downloads}
sudo chown root:root /sftp/username
sudo chmod 755 /sftp/username
sudo chown username:sftpusers /sftp/username/uploads
- proftpd with mod_sftp: Enterprise-grade SFTP server with chroot support
- vsftpd: Lightweight FTP server with SSL/TLS and chroot options
- SFTPGo: Modern standalone SFTP server with web admin interface
Here's complete setup for an academic research server:
# Create restricted user
sudo useradd -m -d /incoming -s /usr/sbin/nologin researcher
sudo usermod -a -G sftpusers researcher
# Configure directories
sudo mkdir -p /sftp/researcher/{incoming,processed}
sudo chown root:root /sftp/researcher
sudo chown researcher:sftpusers /sftp/researcher/incoming
For CentOS/RHEL systems specifically, ensure SELinux contexts are properly set:
sudo chcon -R -t ssh_home_t /sftp/researcher/incoming
sudo semanage fcontext -a -t ssh_home_t "/sftp/researcher/incoming(/.*)?"
The traditional tools for creating restricted SCP/SFTP environments (rssh and scponly) have become problematic due to:
- Lack of security updates (rssh last updated in 2012, scponly in 2016)
- Compatibility issues with modern Linux distributions
- Compilation requirements for configuration changes
- Known vulnerabilities in older codebases
Modern OpenSSH (version 4.9+) provides native capabilities that eliminate the need for third-party tools:
# /etc/ssh/sshd_config example for chrooted SFTP
Match Group sftpusers
ChrootDirectory /var/sftp/%u
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
PermitTunnel no
For stronger isolation than chroot, consider containerization:
# Dockerfile for minimal SFTP container
FROM alpine:latest
RUN apk add --no-cache openssh-sftp-server
RUN adduser -D -h /data -s /bin/false sftpuser
VOLUME /data
EXPOSE 22
CMD ["/usr/sbin/sshd", "-D", "-e"]
Several actively maintained projects address these needs:
1. SSHChroot (Python-based)
# Installation on CentOS/RHEL
sudo yum install -y python3 git
git clone https://github.com/unbit/ssh-chroot
cd ssh-chroot
sudo python3 setup.py install
2. Gitolite (Git-focused but extensible)
While primarily for Git, its access control system can be adapted for SCP/SFTP:
# In gitolite.conf
repo @sftp
RW+ = sftpuser
- VREF/NAME/ = @all
Regardless of solution chosen, follow these security guidelines:
- Use separate partitions for chroot directories
- Set proper permissions (chroot directory must be owned by root)
- Regularly audit access logs
- Consider SELinux/AppArmor profiles for additional hardening
When implementing restricted shells, watch for:
# Debugging SSH connection issues
ssh -vvv user@host
journalctl -u sshd --no-pager -n 50
Common pitfalls include incorrect directory permissions, missing system libraries in chroot, and improperly configured PAM modules.