How to Configure Chroot Environments for SFTP Access on Ubuntu 16.04


  1. A valid Alibaba Cloud Account. (Sign up now and get up to $1200 to test over 40 Alibaba Cloud products)
  2. An Alibaba Cloud ECS instance running Ubuntu 16.04 Operating system.
  3. A non-root user that can perform sudo tasks.

Step 1: Creating an SFTP Group

To better manage our chrooted users, we will create a group for them using the Linux groupadd command. Since this is a system wide setting, we will run the command using sudo:

$ sudo groupadd sftpusers

Step 2: Setting Up OpenSSH

As mentioned above, SFTP runs over the SSH protocol and therefore, it implements all the security and authentication features of SSH. With data encryption capabilities, SSH can largely prevent password sniffing and man-in-the-middle-attacks.

$ sudo nano /etc/ssh/sshd_config
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftpusers
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
$ sudo service ssh restart

Step 3: Configuring User Accounts

Next, we are going to configure the user accounts and modifying the permissions for their root directory. For the sake of simplicity, we will use a hypothetical username jacob. You can add as many user accounts to the chroot environment depending on your needs.

$ sudo adduser jacob
Adding user `jacob' ...
Adding new group `jacob' (1006) ...
Adding new user `jacob' (1004) with group `jacob' ...
Creating home directory `/home/jacob' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:Enter Password
Retype new UNIX password:Enter Password
passwd: password updated successfully
Changing the user information for jacob
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
$ sudo usermod -G sftpusers jacob
$ sudo chown root:root /home/jacob
$ sudo chmod 755 /home/jacob
$ sudo mkdir /home/jacob/public_html
$ sudo chown jacob:jacob /home/jacob/public_html
$ sudo mkdir /home/jacob/private_docs
$ sudo chown jacob:jacob /home/jacob/private_docs
$ sudo chmod 700 /home/jacob/private_docs

Step 4: Testing the Configuration

Once the chroot settings are in place, you can try to connect to your Ubuntu 16.04 Alibaba Cloud server through sftp using the credentials of the user that we have created.

$ sftp jacob@
The authenticity of host' can't be established.
ECDSA key fingerprint is SHA256:2wDenY0R9/odsoiYTaSJCmTHNplmy4oWX7z2nIqUNOQ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ' ' (ECDSA) to the list of known hosts.
jacob@'s password:Enter password here
Connected to
sftp> pwd
Remote working directory: /

Step 5: Confirming Shell Access Restriction

For security purposes, you may wish to confirm if shell access is restricted as required for the chrooted user. To do this, try connecting to your Alibaba ECS instance via an SSH client with the credentials of the limited user. If you followed the guide, you won’t be able to gain access to the server.


In this guide, we have taken you through the steps of creating a group for chroot users on your Linux system. We also went ahead and configured OpenSSH to redirect users to the SFTP program so that they can upload files to their directory.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website: