Restricted User Shell
sftp on the client machine invokes
sftp-server, without arguments, on the server.
We want to allow our users to use
sftp to manage their
public_html directories. The
sftp-server will be
executed with the user’s home directory as root, in a chrooted
environment. For this to work, each user’s home must contain a copy
sftp-server (which we’ll place in ~/bin
subdirectory) and all files it needs for normal execution:
/etc/group and /etc/passwd with one entry
(for the user and his group), and, unless the binary is linked
statically, all the shared libraries it is linked with, in the
Given these prerequisites, the following rule will ensure proper
rule sftp-incoming match $command ~ "^.*/sftp-server" set  = "/bin/sftp-server" chroot "~" chdir "public_html"
Notice the last action. Due to it, users don’t have to type
public_html at the beginning of their sftp sessions.
This document was generated on June 29, 2019 using makeinfo.Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.