using OpenSSH/SFTP to replace an FTP server securely

Nico Kadel-Garcia nkadel at
Tue May 20 21:55:39 EST 2014

On Tue, May 20, 2014 at 3:32 AM, Damien Miller <djm at> wrote:
> On Mon, 19 May 2014, ?ngel Gonz?lez wrote:
>> If you want something different, like chrooting them at /chrooted-users/foo,
>> you
>> can use -d parameter in the ForceCommand, ie.
>>  ForceCommand internal-sftp -d /%u
> If you're willing to live with a single chroot directory and file
> permissions to keep users from each others' files then this is a great
> solution. It only requires a single /chrooted-users/dev/log listener
> too.
> -d

The necessity for additional arcanery, of having non-user owned
contents inside each working chrooted directory, and this kind of
'make one chroot, but rely on the users to correctly set permissions
and block access to each other's content, even though they can see
each other's directories by default" is exactly why the sftp chroot
setup is not ideal.

If you *must* do this sort of thing, I'd urge running it on a separate
sshd, with a separate sshd_config, running on another port, just to
keep it away from your SSH logins for other users and other uses. If
you're not compelled for other reasons to use this, vsftpd with FTPS
is a *lot* easier to set up.

More information about the openssh-unix-dev mailing list