Chrooted SFTP-only users along with normal SFTP

Martin martin at libtec.org
Mon Aug 3 08:08:34 AEST 2015


Hi!

I want to set a OpenSSH server which restricts some users to only
chrooted SFTP, while others have full/normal ssh, scp and sftp access.

Most or all guides on the web say that I should enable the config line
"Subsytem sftp internal-sftp" among other things, but I've found out
that this only causes non-restricted users to not be able use SFTP at
all, only the chrooted users.  Without it users can be still be
chrooted and forced to use only SFTP - all seems fine.

Should I really use this config line?  What does it do?  Are the
guides wrong?  Here are some guides I've seen:

https://wiki.archlinux.org/index.php/SFTP_chroot
http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/

My config file (just the important and changed parts):

  PasswordAuthentication no

  Subsystem sftp /usr/lib/openssh/sftp-server
  # Subsystem sftp internal-ftp

  Match User developer
    ChrootDirectory %h
    ForceCommand internal-sftp
    PasswordAuthentication yes
    AllowTcpForwarding no
    PermitTunnel no
    X11Forwarding no

I'm using Trisquel 7, which should be identical to Ubuntu 14.04.

Thank you!


More information about the openssh-unix-dev mailing list