Note that this question is not about how to do chroot or make an account SFTP only. The question is about whether there are specific ways for a sysadmin to check if a chrooted and SFTP-only account is correctly set.
Usually I do chroot or SFTP-only settings following some online resources such as this one: https://wiki.archlinux.org/title/SFTP_chroot. But the issue is, unlike simply changing an option from No to Yes in a configuration file, I need to complete multiple steps to finish the chroot or SFTP-only settings. Since this is such a fundamentally important security setting, I am always thinking: Is my configuration correct? Do I miss something minor but critical?
Currently what I am doing to verify the correctness is very simple:
- To validate an account is SFTP-only, I just try to login as a normal user and see if I can see a
This service allows sftp connections only.
message and get rejected.
- To validate an account is properly chrooted, I login as an SFTP user and check if I can switch to a directory which the account is not supposed to get in (usually I just double-click many many times the
..
item at the top of a file list on an SFTP client's GUI).
Are these two things the only things a sysadmin needs to do to be 100% sure that the settings are correct?