On Mon, 3 Aug 2015, Martin wrote: > Hi! > > I want to set a OpenSSH server which restricts some users to only > chrooted SFTP, while others have full/normal ssh, scp and sftp access. > > Most or all guides on the web say that I should enable the config line > "Subsytem sftp internal-sftp" among other things, but I've found out > that this only causes non-restricted users to not be able use SFTP at > all, only the chrooted users. Without it users can be still be > chrooted and forced to use only SFTP - all seems fine. > > Should I really use this config line? What does it do? Are the > guides wrong? Here are some guides I've seen: > > https://wiki.archlinux.org/index.php/SFTP_chroot > http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/ > > My config file (just the important and changed parts): > > PasswordAuthentication no > > Subsystem sftp /usr/lib/openssh/sftp-server > # Subsystem sftp internal-ftp ^^^^^^^^^^^^^ Are you sure the problem isn't just a typo? It should be internal-sftp, not internal-ftp. > Match User developer > ChrootDirectory %h > ForceCommand internal-sftp > PasswordAuthentication yes > AllowTcpForwarding no > PermitTunnel no > X11Forwarding no If you want this account to be sftp-only then this will work fine and you won't need to adjust the top-level Subsystem declaration, as ForceCommand overrides it anyway. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev