OpenSSH sftp chroot jail installation and configuration

From n0r1sk software solutions
Jump to: navigation, search

This article will show you how you install a sftp server for making secure data transfer possible.

Some time ago I read about a new version of OpenSSH which had build in support for change root jail in the sftp subsystem. So I had to build up the OpenSSH server from source because no one hat precompiled packages for it. For your information we are using Debian (Etch). Read forward in our documentation to find out how to build such a server.

Install the needed dependencies

apt-get install libssl-dev zlib1g-dev libpam0g-dev

Download the actual sources from


Untar and configure the sources

tar -zxvf openssh-5.1p1.tar.gz
cd openssh-5.1p1.tar.gz
./configure --with-pam #this is important for authentication!!!
make install

The make install command installs the binaries under /usr/local/sbin and the configuration files under /usr/local/etc. If you like to use other paths you have to difine them with the ./configure command.

You have to change/add the following configuration parameters

in /usr/local/etc/sshd_config

UsePAM yes
Subsystem       sftp    internal-sftp
Match group sftponly
ChrootDirectory /home/%u
AllowTcpForwarding no
ForceCommand internal-sftp

Add a user to your system

Place it into the usergroup "sftponly"

Give the user /bin/false as default login shell

Change the owner from the homedirectory of the created user

chwon root.root /home/youruser

Start the new openssh daemon and have a lot of fun!

Don't forget to stop your "old" openssh-server.

/usr/local/sbin/sshd -f /usr/local/etc/sshd_config