BoKS makes it easy to create Access Routes to require a chroot environment for sftp. Using the internal-sftp subsystem instead of the sftp-server greatly simplifies setup of the environment itself.

This is because the authentication and authorization occur prior to switching to the chroot environment.

Please note that this procedure is only valid for sftp and only for BoKS version 6.6.1 and higher. Other sub-protocols, or older versions of BoKS, require directory to be set up to include all files and libraries within the chroot environment. This can be quite tedious to accomplish.


On the Server Agent (client):

  1. Ensure that the target directory exists and that it and all directory components are only writable by root. The user that will use sftp will need to have read and execute permission on the directory to access files. This can be different than the user's home directory.
  2. If the user needs to create or change files in the directory, you can create a sub-directory that has write permission enabled. This can be set for the user or for one of the groups to which the user belongs. You will probably want to update the user's record for home directory to match. You could either create a parallel structure to /home within the chroot environment or change the record to reflect the home directory in "/". Otherwise the user will have to cd to the correct directory.
  3. Edit the ${BOKS_etc}/ssh/ file to include the line below. No other changes are needed. BoKS must be restarted for this to take effect. This will also work for all users - with or without the need for a "chroot" environment, since chroot is controlled by a modifier on the assigned Access Route.

Subsystem sftp internal-sftp


# mkdir -m 750 /sftp

# chown root:testgroup /sftp

# mkdir -m 700 /sftp/testuser

# chown testuser:testgroup /sftp/testuser

# vi ${BOKS_etc}/ssh/



On the Master:

  1. Create an Access Route for the user (or User Class) that has chroot set for sftp. Do not combine with other SSH sub-protocols (like login, remote command execution, etc.), as these need a full chroot environment. This is possible to do, but the directory setup on the Server Agent is much more complex than described above. The chroot is set up on the SSH_SFTP route, so it can be a different route than the SSH route used for authentication. Use the modifier chroot=.


BoKS # ttyadmin -a -l HOST_GROUP:testuser -z 'SSH:fromhost->tohost' -b 0000 -e 0000 -w 1234567

BoKS # ttyadmin -a -l HOST_GROUP:testuser -z 'SSH_SFTP:fromhost->tohost' -b 0000 -e 0000 -w 1234567 -m chroot=/sftp

BoKS # modbks -l HOST_GROUP:testuser -h /testuser

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018