Chrooted scponly on Debian

The standard tools to get scponly working on Debian 5 … don’t work. Here’s what to do to get scponly working.

First, if scponly was already installed, remove it using apt-get remove scponly.

Next, clean up any scponly changes:

  • Remove the scponly group in /etc/group
  • Remove the scponly user in /etc/passwd
  • Remove the scponly password in /etc/shadow

Now, get the latest version of scponly (as of this writing 20080308) from sourceforge here:

Next, untar and build using the command:

# ./configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --sysconfdir=/etc --enable-scp-compat --enable-winscp-compat --enable-chrooted-binary --enable-passwd-compat PROG_USERADD=/usr/sbin/useradd
# make
# make install

Once installed, run that’s in the source directory and create the initial scponly user. Follow the directions and you should end up with the directory /home/scponly.

Now, copy over all the libraries needed for sftp-server to run:

for i in $(ldd /usr/lib/sftp-server | awk '{print $3}' | grep '^/'); do
echo "$i -> $j";
cp $i $j;

Create /dev/null:

# mkdir /home/scponly/dev
# cp -a /dev/null /home/scponly/dev/null

And finally, for 64-bit systems, copy over ld:

# mkdir /home/scponly/lib64
# cp /lib64/ /home/scponly/lib64

Once that’s done, you should have an scponly user that can connect using sftp or scp in a chrooted jail.

The last thing I do is create /home/scponly/home where I can create multiple users in the same jail. In /etc/passwd the user’s home directory can be entered like this: /home/scponly//home/user and when the user logs in they end up in their own home directory.


Make sure that there is at least one entry (it can be bogus) in /home/scponly/etc/passwd, or else nothing will work. For example,




