Chrooted SFTP-only users along with normal SFTP

Damien Miller djm at mindrot.org
Mon Aug 3 09:59:39 AEST 2015


On Mon, 3 Aug 2015, Martin wrote:

> Hi!
> 
> I want to set a OpenSSH server which restricts some users to only
> chrooted SFTP, while others have full/normal ssh, scp and sftp access.
> 
> Most or all guides on the web say that I should enable the config line
> "Subsytem sftp internal-sftp" among other things, but I've found out
> that this only causes non-restricted users to not be able use SFTP at
> all, only the chrooted users.  Without it users can be still be
> chrooted and forced to use only SFTP - all seems fine.
> 
> Should I really use this config line?  What does it do?  Are the
> guides wrong?  Here are some guides I've seen:
> 
> https://wiki.archlinux.org/index.php/SFTP_chroot
> http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
> 
> My config file (just the important and changed parts):
> 
>   PasswordAuthentication no
> 
>   Subsystem sftp /usr/lib/openssh/sftp-server
>   # Subsystem sftp internal-ftp
                     ^^^^^^^^^^^^^
Are you sure the problem isn't just a typo? It should be internal-sftp,
not internal-ftp.

>   Match User developer
>     ChrootDirectory %h
>     ForceCommand internal-sftp
>     PasswordAuthentication yes
>     AllowTcpForwarding no
>     PermitTunnel no
>     X11Forwarding no

If you want this account to be sftp-only then this will work fine and
you won't need to adjust the top-level Subsystem declaration, as
ForceCommand overrides it anyway.

-d


More information about the openssh-unix-dev mailing list