When you have a server with SSH access, unless you’ve configured it otherwise, any user with an account on that system can log in and, if they have the permissions and skill, wreak havoc on your server.

SEE: 40+ open source and Linux terms you need to know (TechRepublic Premium)

You don’t want that. 

What you can do is restrict those users with a chroot jail. By doing this you severely limit what those users can do on your system. In fact, any user who is limited to a chroot jail can:

1. Only access the server via sftp
2. Only access a specific directory

This is a great security addition to your Linux servers, and if you require such a use case, consider it a must-do. This is especially important if you have a server that houses sensitive data and you don’t want users even viewing those files and folders.

This setup isn’t all that challenging. In fact, the configuration is much easier than finding ways to deploy the feature. But on those occasions when you do need to severely restrict what a user can access on your Linux servers, this is one sure-fire way of doing so.

What you’ll need

To make this work, you’ll need a running instance of Linux and a user with sudo privileges. That’s it. Let’s make some security magic.

How to create a restricted group and add users on a Linux server

The first thing we must do is create a new group and add users to it. Create the group with:

sudo groupadd restricted

Next, add a user to the group with the command:

sudo usermod -g restricted USERNAME

Where USERNAME is the user you want to add to the restricted group.

SEE: Linux turns 30: Celebrating the open source operating system (free PDF) (TechRepublic)

How to configure SSH

Open the SSH daemon configuration file with:

sudo nano /etc/ssh/sshd_config

Look for the line (near the bottom):

Subsystem sftp /usr/lib/openssh/sftp-server

Change that line to:

Subsystem sftp internal-sftp

At the bottom of the file, add the following:

Match group restricted ChrootDirectory /home/ ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no

Save and close the file. Restart SSH with:

sudo systemctl restart ssh

Now, go back to another machine and attempt to SSH into the server with the user, such as:

ssh olivia@192.168.1.147

You’ll see the warning:

This service allows sftp connections only.
Connection to 192.168.1.147 closed.

In order for any user in the restricted group to log into the server, they must use sftp like so:

sftp USERNAME@SERVER

Where USERNAME is the username and SERVER is the IP address or domain of the server. Once they successfully log in, they’ll be at the sftp prompt where they can transfer files back and forth with the put and get commands. Those restricted users can only upload files to their home directories. When a restricted user initially logs in, they’ll be in the /home directory. So, to successfully upload, they would have to change into their home directory with a command like:

cd olivia

Once in their home directory, they can then issue a command like:

put file1

As long as that file is in the current working directory of the machine they logged into the server from, it’ll upload just fine. If those users only need to download files to their local machine, they’d use a command like:

get file1

I realize this is a very limiting configuration with very limited use cases, but at some point in your Linux admin career, you’re going to run into an instance where you need to limit users to logging into a chroot jail. This is one way to do it. 

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Sign up today

Also see