Learn, how to best share and exchange files with your clients by using and configuring your SFTP server to chroot a group of users to their home directory.

How to best share or exchange files with clients.

If you will be sharing or exchanging files with your clients, like graphics designers, wedding photographers and video production companies do, then you should consider, how this is best done. You will probably have the following list of requirements.

  • You want to ensure, that clients can access and download their files at times, that suit them.
  • You want to use software, that is free and available for different types of desktop computers, smartphones and operating systems. This kind of software is known as an FTP client.
  • You must make sure, that your clients only has access to their own files.
  • You might want to provide a way, that your clients can send or upload files to you.

A well proven solution, that meet these requirements, is an SFTP server, that is running on a separate virtual private server (VPS) on the internet. SFTP is an encrypted secure file transfer protocol in the well known SSH protocol. SFTP has replaced the old FTP file transfer protocol. FreeBSD runs OpenSSH, which is an open source implementation of SSH.

Illustration of client computer network with access to SFTP server on the internet.
Illustration of client computer network with access to SFTP server on the internet.

How to chroot SFTP user group to their home directory.

Create a group for SFTP users, that will be restricted or chroot’ed to their home directory. In this example, I will be performing the configuration on a FreeBSD operating system.

# pw groupadd sftp

Configure the SSH server, so it chroot’s SFTP users, that are in the group. Restart the SSH server, so it loads the changes.

# nano /etc/ssh/sshd_config
Subsystem sftp /usr/libexec/sftp-server
Match Group sftp
ChrootDirectory /home/%u/
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
# service sshd restart

How to create a chroot’ed user.

Create a new SFTP user and add the user to the SFTP group while not allowing shell access. Create the chroot’ed directory and create a directory in which the user can upload and download files. In the following example, a user andy with the password AbCd will be chroot’ed to his home directory /home/andy and his upload directory /home/andy/upload. This user is assigned /sbin/nologin, so he is denied shell access via SSH.

# echo "AbCd" | pw useradd -n andy -d /home/andy -g sftp -m -M 755 -s /sbin/nologin -h 0
# chown -R root:sftp /home/andy
# mkdir -m 0770 /home/andy/upload

An alternative to password authentication is public SSH keys.

A note on risk of data security breach for SFTP servers.

You must test your solution before letting clients use it. Not doing so, or not correcting permission problems, that you might or might not be aware of, could turn into serious problems.

You do not want a call from your client, that he had access to other clients files, or even worse: your files too, and learn, that he accidently downloaded it, shared it or used it in any way. This situation, also known as a security incident, would be a data security breach. An incident, that has resulted in unauthorized access to computer data. Information, that has been accessed without authorization.

A data breach would not only be embarrasing, concerning and troublesome, but also something, that can not be undone. You might also be obligated to report it to your clients and authorities.

How to test access and file permissions for the chroot’ed user.

Create a test user, or test the actual client user account itself, by entering the details into an SFTP client, such as FileZilla, and then logging into your SFTP server.

  • Test, that the user can not change directory to a directory, that is located outside of the chroot’ed home directory. Examples are the “..” directory, /home or another private directory on the server.
  • Test, that the user can not modify or delete files, that should be read-only.
  • Test, that you can upload files, that you wish to share with your client. You should do so by using the clients user credentials, so file permissions are set correct.
  • Test, that the user can download the files, that you have uploaded.
  • Test, that the user can upload files into the upload directory.

How to delete a chroot’ed user and home directory.

If you no longer serves the client, then you should delete his user account and home directory according to your data retention policy. You can delete the user and his chroot’ed directory with the following commands.

# pw userdel andy
# rm -rf /home/andy

More about user management.

If you need randomly generated strong passwords, which you should be using, whereever you are required to use a password for an online service or other application, then I recommend, that you use my Password Generator.

This page was last updated 2022-01-01.