Re: Chrooted SFTP-only users along with normal SFTP

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, 3 Aug 2015, Martin wrote:

> Hi!
> 
> I want to set a OpenSSH server which restricts some users to only
> chrooted SFTP, while others have full/normal ssh, scp and sftp access.
> 
> Most or all guides on the web say that I should enable the config line
> "Subsytem sftp internal-sftp" among other things, but I've found out
> that this only causes non-restricted users to not be able use SFTP at
> all, only the chrooted users.  Without it users can be still be
> chrooted and forced to use only SFTP - all seems fine.
> 
> Should I really use this config line?  What does it do?  Are the
> guides wrong?  Here are some guides I've seen:
> 
> https://wiki.archlinux.org/index.php/SFTP_chroot
> http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
> 
> My config file (just the important and changed parts):
> 
>   PasswordAuthentication no
> 
>   Subsystem sftp /usr/lib/openssh/sftp-server
>   # Subsystem sftp internal-ftp
                     ^^^^^^^^^^^^^
Are you sure the problem isn't just a typo? It should be internal-sftp,
not internal-ftp.

>   Match User developer
>     ChrootDirectory %h
>     ForceCommand internal-sftp
>     PasswordAuthentication yes
>     AllowTcpForwarding no
>     PermitTunnel no
>     X11Forwarding no

If you want this account to be sftp-only then this will work fine and
you won't need to adjust the top-level Subsystem declaration, as
ForceCommand overrides it anyway.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux