login about faq

How do I chroot users so that they cannot get out of their home directories when using SFTP?

asked Dec 29 '10 at 19:33

SSH%20KB's gravatar image


To chroot users to their home directories when using SFTP in 4.x:

  1. Edit the following line in the configuration file /etc/ssh2/sshd2_config:

ChRootUsers user1,user2,user3

If all the users are in the same group, edit the following instead:

ChRootGroups group1,group2,group3

  1. Also set the internal sftp-server in sshd2_config:

subsystem-sftp internal://sftp-server

  1. Edit the /etc/passwd file so that the user's shell is set to /bin/ssh-dummy-shell. This is a good practice in case the server is accidentally started with a different configuration file and the user is not chrooted to her home directory. However, ssh-dummy-shell is not needed or used when the user is successfully chrooted.

Note: If the ssh-dummy-shell binary is not static, you need to copy also the libraries the binary needs under the chroot jail. You can check the shared library dependencies with ldd command.

  1. Restart the SSH Tectia Server and try to connect with SFTP as user1, and verify that the environment is chrooted.

For instructions on how to do this with 5.x and later versions, please see the SSH Tectia Server's Administrator's Guide, Chapter 7, "File Transfer", "Restricting Services" section.


answered Dec 29 '10 at 19:33

SSH%20KB's gravatar image


edited Jan 27 '11 at 08:27

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: Dec 29 '10 at 19:33

Seen: 4,345 times

Last updated: Jan 27 '11 at 08:27

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.