Software & AppsOperating SystemLinux

Fixing SFTP Chroot Error: Broken Pipe in Ubuntu 20.04

Ubuntu 15

In this comprehensive guide, we will walk you through the process of fixing the SFTP Chroot error: Broken Pipe in Ubuntu 20.04. This error typically occurs when you are trying to establish SFTP-only users jailed to their home directory.

Quick Answer

To fix the SFTP Chroot error: Broken Pipe in Ubuntu 20.04, you need to modify the sshd_config file, set ownership and permissions for the /home/sftp directory, and create users with the correct settings. These steps will help you establish SFTP-only users jailed to their home directory and resolve the broken pipe error.

Understanding the Error

The “Broken Pipe” error in SFTP Chroot generally happens when there’s a problem with the connection between the client and the server. It’s a common issue when trying to set up SFTP-only users with restricted access to their home directory.


Before we start, ensure that you have:

  1. A server running Ubuntu 20.04.
  2. Sudo or root privileges to modify system files and settings.

Step 1: Update sshd_config file

First, we need to modify the sshd_config file, which is the main configuration file for the SSH server. Open the file using a text editor of your choice. Here, we’ll use nano.

sudo nano /etc/ssh/sshd_config

Add the following lines to the end of the file:

Subsystem sftp internal-sftp
Match Group sftponly
 ForceCommand internal-sftp -d /%u
 PasswordAuthentication yes
 ChrootDirectory /home/sftp/%u
 PermitTunnel no
 AllowAgentForwarding no
 AllowTcpForwarding no
 X11Forwarding no

Here’s what each line does:

  • Subsystem sftp internal-sftp: This line sets the SFTP server to use the internal-sftp subsystem, which is necessary for the chroot environment.
  • Match Group sftponly: This line matches any user in the ‘sftponly’ group.
  • ForceCommand internal-sftp -d /%u: This line forces the connection to use the SFTP protocol and sets the default directory to the user’s home directory.
  • PasswordAuthentication yes: This line allows users to authenticate using their passwords.
  • ChrootDirectory /home/sftp/%u: This line sets the chroot directory to the user’s home directory within the /home/sftp directory.
  • PermitTunnel no, AllowAgentForwarding no, AllowTcpForwarding no, X11Forwarding no: These lines disable various types of forwarding, increasing the security of the connection.

After adding these lines, save and close the file.

Step 2: Set Ownership and Permissions for /home/sftp

Next, we need to set the correct ownership and permissions for the /home/sftp directory. This is necessary to ensure the security and isolation of each user’s files. Run the following commands:

sudo chown root:root /home/sftp
sudo chmod 0711 /home/sftp

Here, chown root:root /home/sftp changes the ownership of the directory to the root user and group, while chmod 0711 /home/sftp sets the permissions so that only the owner (root) can write to the directory, but others can enter and access their own directories within it.

Step 3: Create Users with Correct Settings

Now, we can create users with the correct settings. For this example, we’ll create a user named ‘batman’. Run the following commands:

sudo adduser --quiet --disabled-password --shell /bin/false --no-create-home --gecos "User" batman
echo "batman:batman123" | sudo chpasswd
sudo usermod -a -G sftponly batman
sudo install -d -m 0755 /home/sftp/batman -o batman -g sftponly

These commands do the following:

  • adduser --quiet --disabled-password --shell /bin/false --no-create-home --gecos "User" batman: This command creates a new user named ‘batman’ with a disabled password, no shell, and no home directory.
  • echo "batman:batman123" | sudo chpasswd: This command sets the password for ‘batman’ to ‘batman123’.
  • usermod -a -G sftponly batman: This command adds ‘batman’ to the ‘sftponly’ group.
  • install -d -m 0755 /home/sftp/batman -o batman -g sftponly: This command creates the home directory for ‘batman’ in /home/sftp/batman with the correct ownership and permissions.

Final Thoughts

With these changes, users will only have access to their own directory (/home/sftp/batman), and upon login, they will appear to be within / (which is actually /home/sftp/batman). They will not be able to navigate to /home/sftp and see a list of other users.

Remember, if you encounter an error when changing the directory ownership, make sure to use the correct group name (sftponly) when setting the ownership.

By following these steps, you should be able to fix the SFTP Chroot error: Broken Pipe in Ubuntu 20.04. If you have any questions or run into any issues, feel free to ask in the comments section below.

What is SFTP Chroot?

SFTP Chroot is a method of restricting SFTP users to their home directory, providing a more secure environment by isolating their access to the server.

Why am I getting a “Broken Pipe” error in SFTP Chroot?

The "Broken Pipe" error usually occurs when there is a problem with the connection between the SFTP client and the server. It can be caused by network issues, server configuration problems, or incorrect permissions on directories.

Can I use a different text editor instead of nano to modify the sshd_config file?

Yes, you can use any text editor you prefer to modify the sshd_config file. Simply replace "nano" with the name of your desired text editor in the command provided.

What do the permissions “0711” mean for the /home/sftp directory?

The permissions "0711" mean that the owner (root) has read, write, and execute permissions, while others can only execute (enter) the directory. This ensures that only the owner can modify the directory contents, while others can access their own subdirectories within it.

How do I create additional SFTP-only users?

To create additional SFTP-only users, follow the example provided in Step 3, replacing ‘batman’ with the desired username. Make sure to adjust the commands accordingly to set the correct ownership and permissions for the new user’s home directory.

Leave a Comment

Your email address will not be published. Required fields are marked *