You would like to jail users to their home directories and not allow shell access, only sftp access.
SFTP chroot jail
1. Create a system group. Here I call it
2. edit the sshd_config file, usually residing in /etc/ssh/sshd_config
(in weird opensuse it’s in /usr/etc/sshd/ )
and append (it needs to be appended at the end):
Subsystem sftp internal-sftp
Match Group sftponly
and restart sshd.
PasswordAuthentication No means, users can only login with their ssh key, no passwords allowed.
3. create the skeleton structure for each new user
we create .ssh htdocs and log dirs.
4. add a user and chown its home directory to root:root and set the login shell to nologin.
Also add this user to the
sftponly group and set proper access octals.
On Rocky 9 it’s in
useradd -m -s /usr/sbin/nologin -G sftponly username
chown 0:0 /home/username
chmod 0755 /home/username
5. add the client’s ed25519 public key to /home/username/.ssh/authorized_keys
echo 'ssh-ed25519 AAAA... username@clientmachine' > /home/username/.ssh/authorized_keys
Where AAAA… is replaced by the actual public key from the client’s machine.
/home/username/.ssh/id_ed25519.pub file or that of your customer/friend/etc.
And that’s it.
Yes, that’s all there is to it.
The user will be able to transfer files via SFTP in the sub directories you created in step 3, but not write or create directories in the root directory.