I need to give SFTP access to a directory within my webroot on my server. I've set up ben_files as a user and have set his home directory to
/var/www/vhosts/mydomain.example/files
That's all fine if he connects with plain old FTP - he's restricted just to that directory, but to enable SFTP I had to add him to bin/bash shell, which suddenly opens up my entire server...
Is there a way of giving him SFTP access but without opening up all my directories? I'd really like him restricted to only his home.
OpenSSH≥4.8 supports a ChrootDirectory directive.
Add to /etc/sshd_config or /etc/ssh/sshd_config or whatever your setup's global sshd config file is:
Match user ben_files
# The following two directives force ben_files to become chrooted
# and only have sftp available. No other chroot setup is required.
ChrootDirectory /var/www/vhosts/mydomain.example/files
ForceCommand internal-sftp
# For additional paranoia, disallow all types of port forwardings.
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no