On Mon, 3 Aug 2015, Martin wrote:
> Hi!
>
> I want to set a OpenSSH server which restricts some users to only
> chrooted SFTP, while others have full/normal ssh, scp and sftp access.
>
> Most or all guides on the web say that I should enable the config line
> "Subsytem sftp internal-sftp" among other things, but I've
found out
> that this only causes non-restricted users to not be able use SFTP at
> all, only the chrooted users. Without it users can be still be
> chrooted and forced to use only SFTP - all seems fine.
>
> Should I really use this config line? What does it do? Are the
> guides wrong? Here are some guides I've seen:
>
> https://wiki.archlinux.org/index.php/SFTP_chroot
> http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
>
> My config file (just the important and changed parts):
>
> PasswordAuthentication no
>
> Subsystem sftp /usr/lib/openssh/sftp-server
> # Subsystem sftp internal-ftp
^^^^^^^^^^^^^
Are you sure the problem isn't just a typo? It should be internal-sftp,
not internal-ftp.
> Match User developer
> ChrootDirectory %h
> ForceCommand internal-sftp
> PasswordAuthentication yes
> AllowTcpForwarding no
> PermitTunnel no
> X11Forwarding no
If you want this account to be sftp-only then this will work fine and
you won't need to adjust the top-level Subsystem declaration, as
ForceCommand overrides it anyway.
-d