On Tue, Jun 24, 2014 at 8:30 PM, Márk Csaba <markcs@xxxxxxxx> wrote: > Hello List. > > > i’m trying to setup a limited SSH server with SFTP. > > The requirements: > > - There are users to whom only SFTP should be available. (sftp-only group) > > - There are users to whom SFTP and shell access should be available (admin group) > > - SFTP clients have to authenticate with username and password > > - shell users have to authenticate with private key. > > > I put Into the sshd_config global section: > > PasswordAuthentication no > > > and the end of the sshd_config: > > Subsystem sftp internal-sftp > > > Match Group admin > > AllowTCPForwarding yes > > X11Forwarding yes > > ForceCommand bash > > > Match Group sftp-only > > PasswordAuthentication yes > > AllowTCPForwarding no > > X11Forwarding no > > ForceCommand internal-sftp > > > This config works well for SFTP users … but if a user is a member of both group, the SFTP client fails to connect. Obviously because of the ForceCommand. > > > Is there a way to achieve the requirements above? > > Is there a way to create rules according to connection type? I mean … is there any difference within the connection/authentication between eg. PuTTy and FileZilla? Put your limited sftp server on a separate port, or your SSH server on a separate port, to start with. That way you don't wind up mixing and matching the configurations. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev