SFTP &

[Márk Csaba]

Hello List.

 
i’m trying to setup a limited SSH server with SFTP. 

The requirements:

-          There are users to whom only SFTP should be available. (sftp-only group)

-          There are users to whom SFTP and shell access should be available (admin group)

-          SFTP clients have to authenticate with username and password

-          shell users have to authenticate with private key.

 
I put Into the sshd_config global section:

PasswordAuthentication no

 
and the end of the sshd_config:

Subsystem       sftp    internal-sftp

 
Match Group admin

    AllowTCPForwarding yes

    X11Forwarding yes

    ForceCommand bash

 
Match Group sftp-only

    PasswordAuthentication yes

    AllowTCPForwarding no

    X11Forwarding no

    ForceCommand internal-sftp

 
This config works well for SFTP users … but if a user is a member of both group, the SFTP client fails to connect. Obviously because of the ForceCommand.

 
Is there a way to achieve the requirements above?

Is there a way to create rules according to connection type? I mean … is there any difference within the connection/authentication between eg. PuTTy and FileZilla?

 
Thank you,

Csaba

 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 7857 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140625/d1be171f/attachment.bin>