How do I restrict users to sftp in OpenSSH on Windows Server?

windows ssh powershell openssh sftp
13,904

From Mika-n on the PowerShell-OpenSSH GitHub:

This works with OpenSSH-Win64 8.1.x version, but you need to set following sshd_config options (by default in %PROGRAMDATA%\SSH\ folder location in Windows platform):

ForceCommand internal-sftp 
Subsystem  sftp   sftp-server.exe -d "D:\MyDataRoot\" 
ChrootDirectory D:\MyDataRoot

PermitTunnel no 
AllowAgentForwarding no 
AllowTcpForwarding no
X11Forwarding no 
AllowUsers sftpuser

So consider adding the subsystem line with -d to set the folder, or add -d to your ForceCommand entry.

Please note that you should also make sure the users have the correct filesystem permissions to keep them contained in a folder as well.

Share:
13,904

Related videos on Youtube

Tomáš Johnbík
Author by

Tomáš Johnbík

Updated on September 18, 2022

Comments

  • Tomáš Johnbík
    Tomáš Johnbík over 1 year

    I am working with OpenSSH downloaded from https://github.com/PowerShell/Win32-OpenSSH/releases.

    My goal here is to setup an ssh server that allows sftp files transfer without ssh access. According to the official documentation provided by OpenSSH, this should be supported on Windows since version 7.7. was released and the restriction should be set up in sshd_config and I tried to play with this file for a while, but I wasn't able to restrict myself to be able to only access the subfolders, this is what I have in my config file added:

    Subsystem   sftp    sftp-server.exe
ForceCommand internal-sftp 
ChrootDirectory c:\users\myusername 
AllowTcpForwarding no 
PermitTunnel no
GatewayPorts no

    Can anyone tell me why this is not working? Or I cannot setup SFTP access only like this?

    Another option would be to disable SSH connection. How do I achieve that with OpenSSh in Windows?

    • Ramhound
      Ramhound almost 4 years
      The OpenSSH Windows feature does not support everything that OpenSSH supports However, your question isn't clear, so I am having difficulty understanding your question. Please edit your question instead of replying with a comment.
    • Cpt.Whale
      Cpt.Whale almost 4 years
      Please clarify what you currently can do that you don't want sftp clients doing. Viewing files in other folders? Connecting to SSH?
    • Tomáš Johnbík
      Tomáš Johnbík almost 4 years
      @user19702 please view my edited question. Thank you.
  • Tomáš Johnbík
    Tomáš Johnbík almost 4 years
    My question might be very unfortunate. The ultimate goal, to which I would like to get to, is to disable ssh connection, so I can't connect using ssh and putty, but at the same time I would like to have sftp access, so I can transfer files to my remote server. Since I won't be the only one using this option and it is very hard to change the directories structure on the remote system, I would prefer if this could be done without creating new folder with special permissions and adding current users to a special group with those permissions. Do you think this could be achieve?
  • Cpt.Whale
    Cpt.Whale almost 4 years
    I quoted the user, but you can use Subsystem sftp-server.exe -d "C:\users\myusername" in your sshd_config instead. chroot + running sftp with -d (directory) should get you what you need I think. Please add an example of you doing a command that should not be working to clarify more
  • Tomáš Johnbík
    Tomáš Johnbík almost 4 years
    In the end I found the issue. I was correcting a wrong config file. What you suggested, works. Thank you.
  • Toto
    Toto over 2 years
    Code without any explanation is useless. Can you elaborate on this a little more?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSHD Service on Windows Server 2012 R2 not showing
Version information and update for OpenSSH for Windows
Command to copy client public key to Windows OpenSSH SFTP/SSH server authorized keys file
Cannot get git extensions to push something to github SSH problems
Command not found: ssh OpenSSH not found on your computer
SFTP timeout but SSH works fine
Limit SFTP user access to specified directory
sftp fails: “client_loop: send disconnect: Broken pipe”; log shows: “forced close”
Permission denied (publickey,password,keyboard-interactive) error
How can we connect to an SFTP server from a Windows machine to a Linux SFTP server using a DSA key?