OpenSSH (4.8p1 for the GNU/Linux port) and up feature a configuration option: `ChrootDirectory`. This has been made possible by a new SFTP subsystem statically linked to sshd. This makes it easy to replace a basic FTP service without the hassle of configuring encryption and/or bothering with FTP passive and active modes when operating through a NAT router. This is also simpler than packages such as rssh or other patches because it does not require setting up and maintaining (i.e. security updates) a chroot environment. To enable it, you obviously need the new version 4.8p1. I personaly use the cvs version and the debian/ directory of the sid package to build a well integrated Debian package 4.8p1\~cvs-1. In `/etc/ssh/sshd_config`: You need to configure OpenSSH to use its internal SFTP subsystem. ![](/_next/static/media/copy.04p1cju9qekk_.svg?dpl=dpl_49ETMZYZqfXzqHFdBGkuwTG7ESSY) ```bash Subsystem sftp internal-sftp ``` Then, I configured `chroot()`ing in a match rule. ![](/_next/static/media/copy.04p1cju9qekk_.svg?dpl=dpl_49ETMZYZqfXzqHFdBGkuwTG7ESSY) ```bash Match group sftponly ChrootDirectory /home/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp ``` The directory in which to `chroot()` must be owned by root. After the call to `chroot()`, `sshd`changes directory to the home directory relative to the new root directory. That is why I use `/` as home directory. ![](/_next/static/media/copy.04p1cju9qekk_.svg?dpl=dpl_49ETMZYZqfXzqHFdBGkuwTG7ESSY) ```console $ chown root.root /home/user $ usermod -d / user $ adduser user sftponly ``` This seems to work as expected: ![](/_next/static/media/copy.04p1cju9qekk_.svg?dpl=dpl_49ETMZYZqfXzqHFdBGkuwTG7ESSY) ```console $ sftp user@host Connecting to host... user@host's password: sftp> ls build cowbuildinall incoming johnbuilderclean sftp> pwd Remote working directory: / sftp> cd .. sftp> ls build cowbuildinall incoming johnbuilderclean ``` > We inlined the original instructions from[https://debian-administration.org/article/590/OpenSSH\_SFTP\_chroot\_with\_ChrootDirectory](https://web.archive.org/web/20190316222106/https://debian-administration.org/article/590/OpenSSH%5FSFTP%5Fchroot%5Fwith%5FChrootDirectory)as at the time of writing that website no longer functions.