sFTP Chroot (with BIND mounts)

This guide will go through secure FTP (sFTP) which uses the ssh port 22. sFTP is more secure than FTP as it encrypts data. This guide will explain how to jail a user so that they have no way to break out of their home directory. You are then able to mount a location to their home directory so that they can upload files to a website. For example: sftpluke needs to upload files to /var/www/vhost/lukeslinuxlessons/. You can chroot sftpluke to /home/chroot/sftpluke/ and then mount /var/www/vhost/lukeslinuxlessons/ to their home directory. This means they can upload to the correct website directory without needing access to it.

Quick Links
sFTP Group
Creating a chroot directory
Creating a chroot user
Configuring sshd_config
Permissions for chroot directory
Testing Chroot sFTP

sFTP Only Group

groupadd sftponly

Creating a chroot Directory

Now we need to create a home directory which we will be chrooting our sFTP user to. In this directory you are able to have more directories, each one relating to a different website etc. You should create the directory with the command.

mkdir -p /home/chroot/lukes-jail/

If you wanted to add more users later, you are able to add granular control by creating another home directory in similar fashion. E.g

mkdir -p /home/chroot/sams-jail/


Adding a chroot user

We can now add a user with a specific home directory and NO shell login. This means they will NOT be able to SSH into the server, only sFTP.  We will also add the user to the sftponly group.

useradd -d /home/chroot/lukesjail/ -s /sbin/nologin -G sftponly lukeisjailed

Now change the password with

passwd lukeisjailed


Configuring sshd_config file

We need to make a few changes to /etc/ssh/sshd_config file.

You will need to locate and comment-out the following line:

Subsystem sftp /usr/libexec/openssh/sftp-server

Once you have done this you will need to add the following lines to the bottom of the file:

Subsystem     sftp   internal-sftp
         Match Group sftponly
         ChrootDirectory %h
         X11Forwarding no
         AllowTCPForwarding no
         ForceCommand internal-sftp

Now you need to restart sshd. You can either run sshd -t first (which should return NO message) or you can be brave and just perform service sshd restart



Now we need to make sure that the home directory for the lukeisjailed user has the correct permissions.

You should perform the following:

chmod 711 /home/chroot/

chmod 755/home/chroot/lukesjail/

chown root:root /home/chroot/lukes-jail/

You will then need to set the permissions of the mount directory (e.g /home/chroot/lukes-jail/website1/) to user:group with

chown lukeisjailed:sftponly /home/chroot/lukes-jail/website1/



We can specify which directory we would like to mount and where. We need to edit /etc/fstab and type the following command. You will need to replace the first directory path with the path you wish to allow the sftp user access to. The second path is the chrooted sFTP users home directory. Add the following to the bottom of fstab:

/var/www/vhost/lukeslinuxlessons/ /home/chroot/lukes-jail/website1/ none bind 0 0

Now we can mount a specific directory to the users chrooted home directory.

mount /home/chroot/lukes-jail/website1/

This command mounts the directory stated in /etc/fstab to the directory we have just specified (/home/chroot/lukes-jail/website1/)

And your done!


Testing sFTP chroot

You can test the chroot a couple of ways.

Try logging in with the user via ssh, this should fail as we have disabled ssh login.

ssh [email protected]

Now we can test sftp via command line with

sftp [email protected]

This should prompt you for a password and then successfully log in. You should see:


Now you can test to see if it has been configured correctly by typing the following:

sftp> pwd
Remote working directory: /
sftp> ls
sftp> cd website1
sftp> ls
file1 file2 file3


This section will be updated regularly with issues and fixes.

sftp [email protected] -v

The command above should tell you if the issue is a password for the user is correct or not