Create Secure FTP Jails with OpenSSH on Debian/Ubuntu


If you don't have already OpenSSH-Server on your machine and you're connected probably via SSH, then we need to install it:
apt-get update
apt-get install openssh-server

Next we modify the file /etc/ssh/sshd_config:

Comment out the following line by prepending a #:
Subsystem sftp /usr/lib/openssh/sftp-server

And in the same file add this block right at the end:
Subsystem sftp internal-sftp
Match group ftpaccess
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

The group ftpaccess in the above block needs to be created:
groupadd ftpaccess
Basically we're going to allow access via FTP only to users that belong to this group.

So we're going to create a new user and add him to this group:
useradd -m peter -g ftpaccess -s /usr/sbin/nologin -d /home/peter
passwd peter

In case you want to specify a different home folder, i've added the -d flag.

A bit special about the SFTP subsystem is that the home folder of this use needs to belong to root. Subfolders however should belong to the user it self and his group, as follows:
chown root /home/peter
mkdir /home/peter/example
chown peter:ftpaccess /home/peter/example

Finally you should restart ssh:
service ssh restart

Now you should be able to connect to your machine via SFTP and have read/write access to the folder example. You will not be able to access anything above /home/peter.