I've tried to follow this howto:

https://devanswers.co/configure-sftp...document-root/

which left me with an ssh service unable to start.

This one did better:

https://www.linode.com/docs/tools-re...an-and-ubuntu/

It works. My user can connect but he´s still not properly chrooted.

Have I missed something? Is there an error in the last howto?

Regards,
Søren

It looks ok, at a glance. The things to check would be :

1) that the chroot target is owned by root and not writable by other accounts.

2) that your account is a member of the group being chrooted

Aside from those things can you post what you've added to sshd_config?

Hello,

You can follow below steps

1. create user with home directory which you want chrooted
2. owner for chrooted directory should be root with only root has write permission
3. make below changes in /etc/ssh/sshd_config file
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match User <your user name>
ChrootDirectory <directory which you want to chroot>
4. Refresh your ssh service with below command
kill -HUP <ssh service PID>

Thanks,
Sunil

I Haven't had a change to look at your suggestion yet sunilpopaliya, but I'm sure if Turbocapitalist wants to spar a little with me (I've deduced you're not a noob by now ), this probelem will be solved.

The problem is, as you say, that the parent of the directory where the SFTP user is dropped must belong to root and only to root. As it is, though, the user is dropped in his/her home dir and I dont really want to mess with /home.

I made the followoing changes to /etc/ssh/sshd_config:

Changed:

# override default of no subsystems
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp


Made this based on the group "filetransfer" per howto #2 above.

Now %h is obviously the user's /home directory as that as where they're put.

I've tried various forms of %h/ftp/home but without much luck, I'd rather jail a user a little into a directory a little further up the chain, or longer into their user home if you will.

Regards,
Søren

The chroot and all the directories above it must be owned by root and not writable by anyone else, no matter how deep down it is is to be found. Another way around that problem is to chroot to /home/ since it meets those conditions and then move them immediately to their own home.

That assumes a normal system where the home directory matches the user name.

See also "man sshd_config", "man sftp-server", or Chrooted SFTP Accounts

If you don't want them to be able to sneak up a level and read the other home directories, then change the permissions to fix that.

Edit: 710 and 750 assume that the group is still the same for the home directories and has not been changed to that of root. If even the group has been changed then use 701 or 705 instead. But it is best to leave the group unchanged for the home directories and merely adjust the permissions.

Ok This wasnt pretty. Instead of being put in his home directory hes now dropped in root /.

That was not a step in the right direction. To make matters worse he now has no permissions to enter his own home. I assume because that root now completely owns home. What are the default settings for /home? Im so smart I didnt look before applying the changes...

Man Im smart. (Thick sarcasm)

750 or 751 or 711 will work if the directory has the original group membership.

The defaults will be 755 for both /home/ and /home/* though for /home/* the owner of each directory would be the user and the group their primary group.

If you leave the group of the directory as the user's primary group but only change the owner to root, then you can use 751, 711, 750, or 710 for the permissions, assuming there is a subdirectory they can write to.

To match