chroot sftp with OpenSSH


This describes configuring OpenBSD server specifically, but the sshd_config settings should work on any distro.

The result will be users with sftp only privileges where upon login they will be jailed into a directory and only have write access to a subdirectory.


A recent version of OpenBSD or some other Linux variant running openssh-server


Add the following to your /etc/ssh/sshd_config file:

# override default of no subsystems
#Subsystem      sftp    /usr/libexec/sftp-server

# sftp configuration
Subsystem       sftp    internal-sftp

  Match Group sftponly
    ChrootDirectory %h
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTCPForwarding no
    PasswordAuthentication yes

jail directory and user configuration

A quick and dirty bash script to configure the user directories.

 useradd -d $SFTPDIR/$SFTPUSER -s /sbin/nologin -g sftponly $SFTPUSER
 mkdir -p $SFTPDIR/$SFTPUSER/upload
 chown root:sftponly $SFTPDIR
 chmod 700 $SFTPDIR
 chown root:sftponly $SFTPDIR/$SFTPUSER
 chown $SFTPUSER:nobody $SFTPDIR/$SFTPUSER/upload
 chmod 700 $SFTPDIR/$SFTPUSER/upload 


  • User will not be allowed to write to their home directory, but they will be allowed to write to the ‘upload’ subdirectory.
  • Users will have read-only access to their home directory.
  • Restart the sshd server after making any changes to /etc/ssh/sshd_config

Puppet agent on Windows 7

Puppet is very particular about the Ruby version on Windows.  While 2.2 and 2.3 versions of Ruby are available, puppet only runs without complaint on Ruby 2.1 on my Windows 7 box.

As of May 2016, I installed ruby 2.1.8 and puppet-agent 3.8.7.  I also had to install some gems to make puppet-agent happy.

 gem install win32-security win32-dir require win32-process top win32-service

Here are the links to downloads for puppet-agent and ruby:

No issues if the right version of ruby and the right gems.