← ../

for this example, we will use user1 and user2


first of all, these users don't need a shell on the system since they will use sftp only:

useradd -m -s /bin/false user1
useradd -m -s /bin/false user2

next, their home directory should belong to root (needed for chroot with ssh)

chown root:root /home/user1
chown root:root /home/user2

the permissions on their home directory should be 0755 so they can enter and list but they will not be able to create (more on that later)

chmod 0755 /home/user1
chmod 0755 /home/user2

now the tricky permissions part because:

mkdir /home/user1/.ssh
mkdir /home/user2/.ssh
cat user1.pubkey > /home/user1/.ssh/authorized_keys
cat user2.pubkey > /home/user2/.ssh/authorized_keys
chown -R user1:user1 /home/user1/.ssh
chown -R user2:user2 /home/user2/.ssh
chmod 0700 /home/user1/.ssh
chmod 0700 /home/user2/.ssh
chmod 0600 /home/user1/.ssh/authorized_keys
chmod 0600 /home/user2/.ssh/authorized_keys

we are finally ready to setup /etc/ssh/sshd_config to force these users to use sftp:

Subsystem sftp /usr/lib/openssh/sftp-server

Match user user1
 ForceCommand internal-sftp
 ChrootDirectory /home/user1/jail
 AuthorizedKeysFile /home/user1/.ssh/authorized_keys

Match user user2
 ForceCommand internal-sftp
 ChrootDirectory /home/user2/jail
 AuthorizedKeysFile /home/user2/.ssh/authorized_keys

testing this setup with ssh should give you this:

$ ssh -i user1.privatekey user1@server.example.com
This service allows sftp connections only.
Connection to localhost closed.

testing this setup with sftp should give you this:

$ sftp -i user1.privatekey user1@server.example.com
sftp>

as previously stated, your users will not be able to create files or directory at the root of their home directory

sftp> mkdir test_directory
Couldn't create directory: Permission denied

you will need to create a directory that belongs to them inside their home directory where they will be able to create, delete etc.

mkdir /home/user1/user1_directory
chown user1:user1 /home/user1/user1_directory
mkdir /home/user2/user2_directory
chown user2:user2 /home/user2/user2_directory

and now it works!

sftp -i user1.privatekey user1@server.example.com
sftp> cd user1_directory/
sftp> mkdir test_directory

side notes :

here, we used the "Match user" directive but we can also do this on a group level with the "Match Group" directive

Subsystem sftp /usr/lib/openssh/sftp-server

Match Group sftp
 ForceCommand internal-sftp
 ChrootDirectory %h

For any users that you wish to chroot, add them to the sftp group by using:

# usermod -G sftp user1
# usermod -s /bin/false user1
# chown root:root /home/user1
# chmod 0755 /home/user1