Locking down SFTP


This is a small recipe to increase the security around a SFTP interface.

In the /etc/ssh/sshd_config file include the following settings:

Subsystem sftp internal-sftp

This configures the sftp subsystem to use the internal sftp implementation. This is because inside the chroot, we usually will not have the normal sftp-server executable.

For each user that will be doing sftp do:

Match User sftp-only-user-name
  ChrootDirectory /only/path
  ForceCommand internal-sftp
  X11Forwarding no
  AllowTcpForwarding no
  PermitTTY no

Alternative you could do Match Group and have multiple sftp-only users in the specified group.

The options are:

  • ChrootDirectory /only/path : Note that this directory must have mode 0755 and be owned by root. If this is not the case, logins will fail with error:
    bad ownership or modes for chroot directory \
  • ForceCommand internal-sftp : Only allow sftp. No other command will be allowed.
  • X11Forwarding, AllowTcpForwarding, PermitTTY as no : These make sure that the remote user doesn't try to open holes at the SSH protocol levels.


Sftp icons created by Freepik - Flaticon