https://aznot.com/index.php?action=history&feed=atom&title=SFTP
SFTP - Revision history
2026-04-30T05:50:20Z
Revision history for this page on the wiki
MediaWiki 1.41.0
https://aznot.com/index.php?title=SFTP&diff=214&oldid=prev
Kenneth: /* chroot SFTP */
2014-06-23T15:04:06Z
<p><span dir="auto"><span class="autocomment">chroot SFTP</span></span></p>
<p><b>New page</b></p><div>== SFTP Client ==<br />
<br />
SFTP server example:<br />
sftp user@server<br />
<br />
VMware SFTP server example:<br />
sftp -o Port=443 user@sftp2.engx.vmware.com<br />
<br />
Batch mode:<br />
# a batchfile of ‘-’ may be used to indicate standard input<br />
sftp -b batchfile user@server<br />
<br />
=== Password Solution ===<br />
<br />
Password Solution: [http://stackoverflow.com/questions/5386482/how-to-run-the-sftp-command-with-a-password-from-bash-script]<br />
<br />
You have few options other than using public key authentication:<br />
<br />
# Use keychain<br />
# Use sshpass (less secured but probably that meets your requirement)<br />
# Use expect (least secured and more coding needed)<br />
<br />
If you decide to give sshpass a chance here is a working script snippet to do so:<br />
<br />
<pre><br />
export SSHPASS=your-password-here<br />
sshpass -e sftp -oBatchMode=no -b - sftp-user@remote-host << !<br />
cd incoming<br />
put your-log-file.log<br />
bye<br />
!<br />
</pre><br />
<br />
== SFTP Server ==<br />
<br />
To provide SFTP access to linux accounts only (no shell access) change user's shell to:<br />
test:x:501:50::/ftp:/usr/libexec/openssh/sftp-server<br />
<br />
RedHat:<br />
/usr/libexec/openssh/sftp-server<br />
<br />
Ubuntu:<br />
/usr/lib/openssh/sftp-server<br />
<br />
=== chroot SFTP ===<br />
<br />
/etc/passwd:<br />
testuser:x:501:501:,,,:/:/sbin/nologin<br />
<br />
Create group:<br />
groupadd sftpusers<br />
<br />
/etc/ssh/sshd_config:<br />
#Subsystem sftp /usr/lib/misc/sftp-server<br />
Subsystem sftp internal-sftp<br />
<br />
# for group with one chroot (my favorite)<br />
Match Group sftpusers<br />
ChrootDirectory /data/chroot<br />
ForceCommand internal-sftp<br />
<br />
# for group (alternative method)<br />
Match Group sftpusers<br />
ChrootDirectory /home/%u<br />
ForceCommand internal-sftp<br />
AllowTcpForwarding no<br />
X11Forwarding no<br />
<br />
# for user (alternative method)<br />
Match User [USER]<br />
ChrootDirectory /home/%u<br />
ForceCommand internal-sftp<br />
<br />
# if wanting ssh keys to work:<br />
#AuthorizedKeysFile %h/.ssh/authorized_keys<br />
AuthorizedKeysFile .ssh/authorized_keys<br />
<br />
Force umask on ssh, add to /etc/pam.d/sshd: [http://serverfault.com/questions/228396/how-to-setup-sshs-umask-for-all-type-of-connections]<br />
session optional pam_umask.so umask=2002<br />
<br />
Restart SSH:<br />
service sshd restart # RHEL<br />
service ssh restart # Debian<br />
<br />
Set root folder permissions (required for chroot)<br />
# To avoid this error: "fatal: bad ownership or modes for chroot directory"<br />
# chown root.root /home/[USER]<br />
# chmod 755 /home/[USER]<br />
chown root.root /data/chroot<br />
chmod 755 /data/chroot<br />
<br />
Create a pub directory:<br />
mkdir /data/chroot/pub<br />
chmod 2775 /data/chroot/pub<br />
chown nobody.sftpusers /data/chroot/pub<br />
# chown nobody.nogroup /data/chroot/pub # match samba<br />
<br />
Create user:<br />
adduser [USER]<br />
<br />
Set user's home path to '/' and disable shell login:<br />
usermod -d / [USER]<br />
usermod -s /sbin/nologin [USER]<br />
<br />
Add user to the sftpusers group:<br />
#usermod -a -G sftpusers,nogroup [USER]<br />
usermod -a -G sftpusers [USER]<br />
usermod -a -G nogroup [USER] # match samba<br />
<br />
References:<br />
* SFTP Server - Gentoo Linux Wiki - http://en.gentoo-wiki.com/wiki/SFTP_Server<br />
* How to setup ssh's umask for all type of connections - Server Fault - http://serverfault.com/questions/228396/how-to-setup-sshs-umask-for-all-type-of-connections<br />
<br />
== keywords ==<br />
<br />
[[Category:Linux]]</div>
Kenneth