October 23, 2014

How to Configure SFTP with Chroot-Jail on CentOS

CentOS Logo

Did you know that FTP transfers your password in plain text? Instead of FTP you can use the more secure SFTP. The SFTP service is based on SSH which encrypts all passwords and data. You do not even have to install a separate service, to do everything what you need is to configure SSH properly.

Root access is required to edit the following files and to execute commands. Log in as root (su) or simply prepend sudo to all commands that require root privileges.

Edit the SSH daemon configuration

Open the file /etc/ssh/sshd_config with your favorite text editor.

vi /etc/ssh/sshd_config

Paste the following directives at the end of this file.

# General configuration
Subsystem sftp internal-sftp
AllowUsers stan moe
PermitRootLogin no

# User specific configuration
Match User stan
ChrootDirectory /var/www/vhosts/stans-homepage.com
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Prevent login over SSH

Open the file /etc/passwd and change the shell for given user to prevent login over SSH. We want only to give access through SFTP.

stan:x:505:506::/var/www/vhosts/stans-homepage.com/httpdocs/:/bin/nologin

Restart the SSH server

/sbin/service sshd restart

Connect with SFTP

Now you can try to connect your server. Be sure that your client supports SFTP. If you cannot connect, maybe your OpenSSH version doesn’t support SFTP. You have to install the current version.