Chrooted SSH/SFTP Tutorial (Debian Etch) - Page 2

3 Second Method (Per Script)

There's a script called on that automates setting up SSH/SFTP chroot jails. It works flawlessly on Debian Etch.


3.1 Get The Script

First, we need to install some prerequisites:

apt-get install sudo debianutils coreutils

Then we download to /usr/local/sbin and make it executable for the root user:

cd /usr/local/sbin
chmod 700 /usr/local/sbin/


3.2 Use

Now we can already use the script. Usage is as follows: username [/path/to/chroot-shell [/path/to/chroot]]

It doesn't matter if the user is already existing or not. If he's existing, he will be updated; if not, he will be created. If you don't specify the path to chroot-shell and the path to the chroot jail, the default values /bin/chroot-shell and /home/jail will be used, e.g.: testuser

I want to use /home/chroot as the chroot jail, therefore I have to specify the path to chroot-shell as well: testuser /bin/chroot-shell /home/chroot

This will create/update the user testuser with the chroot jail /home/chroot.

To update all files/libraries in the chroot jail, run update

or update /bin/chroot-shell /home/chroot

depending on how you created your users.


3.3 ProFTPd

If you use ProFTPd, you should read this:

As mentioned on, you should not add /bin/chroot-shell to /etc/shells because that would allow users to break out of the chroot jail. This is a problem for ProFTPd, because in ProFTPd's standard configuration, only users with a shell listed in /etc/shells can use ProFTPd. This means, that users that use /bin/chroot-shell cannot use ProFTPd.

To change this, open /etc/proftpd/proftpd.conf and add:

vi /etc/proftpd/proftpd.conf

RequireValidShell               off

Then restart ProFTPd:

/etc/init.d/proftpd restart

Now all users can use ProFTPd, regardless of what shell they have, which again might not be something you want. But the best solution would be to simply use SFTP and drop normal FTP.


Share this page:

3 Comment(s)

Add comment



Hi All,

You can also use MySecureShell to chroot your SFTP connections, it's really simpler !

With MySecureShell you have a control of what your users do (like on FTP). And even you have a graphical interface to configure and manage SFTP connections.


On there is this statement: "There is a possible exploit, as somebody told me some days ago. If a local user outside the chroot knows the password of a chroot'ed user, he can get root. This exploit needs only one little program in C. " If this is true, then this whole chroot approach isn't good at all (password stealing is very easy sometimes). Can it be fixed somehow?

From: Anonymous

thanks for the tutorial, got it up and running in about 5 minutes as advertised. Planning on using it with apache to allow users to upload content for their website without having to give them access to /var/www/

should be fun.