SFTP &

[Nico Kadel-Garcia]

On Tue, Jun 24, 2014 at 8:30 PM, Márk Csaba <markcs at gwyll.eu> wrote:
> Hello List.
>
>
> i’m trying to setup a limited SSH server with SFTP.
>
> The requirements:
>
> -          There are users to whom only SFTP should be available. (sftp-only group)
>
> -          There are users to whom SFTP and shell access should be available (admin group)
>
> -          SFTP clients have to authenticate with username and password
>
> -          shell users have to authenticate with private key.
>
>
> I put Into the sshd_config global section:
>
> PasswordAuthentication no
>
>
> and the end of the sshd_config:
>
> Subsystem       sftp    internal-sftp
>
>
> Match Group admin
>
>     AllowTCPForwarding yes
>
>     X11Forwarding yes
>
>     ForceCommand bash
>
>
> Match Group sftp-only
>
>     PasswordAuthentication yes
>
>     AllowTCPForwarding no
>
>     X11Forwarding no
>
>     ForceCommand internal-sftp
>
>
> This config works well for SFTP users … but if a user is a member of both group, the SFTP client fails to connect. Obviously because of the ForceCommand.
>
>
> Is there a way to achieve the requirements above?
>
> Is there a way to create rules according to connection type? I mean … is there any difference within the connection/authentication between eg. PuTTy and FileZilla?

Put your limited sftp server on a separate port, or your SSH server on
a separate port, to start with. That way you don't wind up mixing and
matching the configurations.