Ultimate Guide: Creating a Secure SFTP Server with Chroot on
Ubuntu 22.04
2 min read — #sftp server #linux server #ubuntu
🔐 What You’ll Learn in This Tutorial
1. Step-by-step installation of Ubuntu 22.04 for your SFTP server.
2. Configure OpenSSH for secure SFTP connections.
3. Implement chroot to confine users to their home directories.
4. Fine-tune permissions and user access for maximum security.
By the end, you’ll have a robust, secure SFTP server ideal for personal use, small businesses, or enterprise-level applications.
Step 1: Create Root Directory for SFTP Users
You can change the directory name to anything you prefer.
mkdir /sftpusers
chmod 701 /sftpusers
Step 2: Create SFTP User Group
Change the group name to anything you like.
groupadd sftpgroup
Step 3: Create SFTP User
Change mysftpuser to a username of your choice.
useradd -g sftpgroup -s /sbin/nologin mysftpuser
passwd mysftpuser
Step 4: Create SFTP User Directory
mkdir /sftpusers/mysftpuser
chown mysftpuser:sftpgroup /sftpusers/mysftpuser
chmod 700 /sftpusers/mysftpuser
Step 5: Edit SSH Config File
1. Open the SSH configuration file located at /etc/ssh/sshd_config with a text editor like nano.
nano /etc/ssh/sshd_config
2. Uncomment the following line:
Subsystem sftp /usr/lib/openssh/sftp-server
3. Add the following configuration at the end of the file:
Match Group sftpgroup
ChrootDirectory /sftpusers/
ForceCommand internal-sftp -d /%u
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PermitTunnel no
PasswordAuthentication yes
4. Save the file and restart the SSH service:
systemctl restart sshd
Step 6: Setup SFTP Authentication with SSH Key
Create Directory for SSH Keys
mkdir /etc/ssh/authorized_keys
chown root:root /etc/ssh/authorized_keys
chmod 755 /etc/ssh/authorized_keys
Add SSH Public Key
Replace PUBLIC_KEY with the actual public SSH key and username with the SFTP username.
echo 'PUBLIC_KEY' >> /etc/ssh/authorized_keys/username
chmod 644 /etc/ssh/authorized_keys/username
Step 7: Edit SSH Config for SSH Key Authentication
1. Open /etc/ssh/sshd_config again and replace the previous Match Group block with the following:
Match Group sftpgroup
ChrootDirectory /sftpusers/
ForceCommand internal-sftp -d /%u
AuthorizedKeysFile /etc/ssh/authorized_keys/%u .ssh/authorized_keys
PermitRootLogin no
PermitEmptyPasswords no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PermitTunnel no
PasswordAuthentication yes
2. Restart the SSH service:
systemctl restart sshd
Step 8: Disable SFTP Password Authentication (Optional)
To enforce SSH key-based authentication, edit /etc/ssh/sshd_config and set:
PasswordAuthentication no
Restart SSH:
systemctl restart sshd
Conclusion
Congratulations! You’ve successfully set up a secure SFTP server with chroot on Ubuntu 22.04. This configuration ensures users are restricted to their
designated directories while enabling secure file transfers with SSH key-based authentication.
🔒 Pro Tip: Always test your SFTP setup with a dummy user before deployment to production environments.
Post Date: August 4, 2023
Post Author: Abdul Aziz
This is in plain text format with no additional code blocks or formatting. You can now copy the entire guide seamlessly without any splitting issues.
Let me know if you need more adjustments!
