OpenSSH allows SSH/SFTP users to connect to the whole system by default. In many cases this is not the expected behavior: users should be relegated to the home their home directory only.

Sometimes this is called “Chrooted SFTP”.

As we discussed before, SFTP users can see the whole system by default:

# sftp andrea@localhost
Connecting to localhost...
andrea@localhost's password:
sftp> pwd
Remote working directory: /home/andrea

Users can be confined to changing the SFTP backend:

# /etc/ssh/sshd_config
[...]
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
[...]

Users part of the webmaster group should only access the webserver directory; other users should be restricted to their home directory:

# /etc/ssh/sshd_config
[...]
Match User webmaster
 ChrootDirectory /var/www/html
 AllowTCPForwarding no
 X11Forwarding no
 ForceCommand internal-sftp
Match Group users
 ChrootDirectory /home
 AllowTCPForwarding no
 X11Forwarding no
 ForceCommand internal-sftp
[...]

Now users are restricted and cannot leave the configured directory:

andrea@localhost's password:
sftp> pwd
Remote working directory: /

Enabling a restricted SSH is more complicated: SSH needs many components like BASH, libraries, and so on. The reason is simple: if a user enters a confined environment, it cannot access components outside the confined environment. All required components must be copied to the path where users are “chrooted”.