OpenSSH: sftp-only chrooted user

To create a SSH user which is only allowed SFTP access (and is not allowed SSH/shell access), add the following to /etc/ssh/sshd_config:

Match User some-user
    ChrootDirectory /home/some-user
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp
    #PasswordAuthentication yes

Please note that for this to work, user's home directory must be owned by root - otherwise, sshd will refuse the login.

You may want to uncomment PasswordAuthentication line if you want to use password authentication with this user.

If you need this user for example to edit a web directory, a typical workaround is:

  • own user's homedir as root
  • mount bind a web directory into user's directory, for example, to /home/some-user/

This is how /etc/fstab entry should look like for a bind mount:

/var/www/ /home/some-user/  none    defaults,bind   0 0