Ultimate Guide: Creating a Secure SFTP Server with Chroot on Ubuntu 22.04

Cat Administrator

Welcome to our comprehensive tutorial on setting up a highly secure SFTP server with chroot on Ubuntu 22.04. In this step-by-step guide, we’ll walk you through the entire process, ensuring that you can securely transfer files while restricting user access to their designated directories.
🔐 What You’ll Learn in This Tutorial 🔐
- Step-by-step installation of Ubuntu 22.04 for your SFTP server.
- Configure OpenSSH for secure SFTP connections.
- Implement chroot to confine users to their home directories.
- Fine-tune permissions and user access for maximum security.
By the end of this tutorial, you’ll have a robust SFTP server that ensures data integrity and confidentiality, making it ideal for personal use, small businesses, or even enterprise-level applications.
Create root directory for sftp users
You can change directory name to anything you like
1mkdir /sftpusers2chmod 701 /sftpusers
Create sftp user group
Change the group name to anything you like
1groupadd sftpgroup
Create sftp user
Change mysftpuser
to username you like
1useradd -g sftpgroup -s /sbin/nologin mysftpuser2passwd mysftpuser
Create sftp user directory
1mkdir /sftpusers/mysftpuser2chown mysftpuser:sftpgroup /sftpusers/mysftpuser3chmod 700 /sftpusers/mysftpuser
Edit ssh config file
SSH config file is located at /etc/ssh/sshd_config
, edit it with nano or any other text editor.
Uncomment the following line
1Subsystem sftp /usr/lib/openssh/sftp-server
Add the following text at the end of the ssh config file
1Match Group sftpgroup2 ChrootDirectory /sftpusers/3 ForceCommand internal-sftp -d /%u4 AllowAgentForwarding no5 AllowTcpForwarding no6 X11Forwarding no7 PermitTunnel no8 PasswordAuthentication yes
Save and restart SSH
1systemctl restart sshd
Setup SFTP authentication with SSH key
Create directory for ssh keys
1mkdir /etc/ssh/authorized_keys2chown root:root /etc/ssh/authorized_keys3chmod 755 /etc/ssh/authorized_keys4echo 'PUBLIC_KEY' >> /etc/ssh/authorized_keys/username5chmod 644 /etc/ssh/authorized_keys/username
Edit ssh config file
Open /etc/ssh/sshd_config
file with nano or any other text editor and change the following text from this
1Match Group sftpgroup2 ChrootDirectory /sftpusers/3 ForceCommand internal-sftp -d /%u4 AllowAgentForwarding no5 AllowTcpForwarding no6 X11Forwarding no7 PermitTunnel no8 PasswordAuthentication yes
To this
1Match Group sftpgroup2 ChrootDirectory /sftpusers/3 ForceCommand internal-sftp -d /%u4 AuthorizedKeysFile /etc/ssh/authorized_keys/%u .ssh/authorized_keys5 PermitRootLogin no6 PermitEmptyPasswords no7 AllowAgentForwarding no8 AllowTcpForwarding no9 X11Forwarding no10 PermitTunnel no11 PasswordAuthentication yes
Save and restart SSH
1systemctl restart sshd
Disable SFTP password authentication
Edit file /etc/ssh/sshd_config
and change PasswordAuthentication yes
to PasswordAuthentication no