How do I restrict users to sftp in OpenSSH on Windows Server?
From Mika-n on the PowerShell-OpenSSH GitHub:
This works with OpenSSH-Win64 8.1.x version, but you need to set following sshd_config options (by default in
%PROGRAMDATA%\SSH\
folder location in Windows platform):ForceCommand internal-sftp Subsystem sftp sftp-server.exe -d "D:\MyDataRoot\" ChrootDirectory D:\MyDataRoot PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no AllowUsers sftpuser
So consider adding the subsystem line with -d
to set the folder, or add -d
to your ForceCommand
entry.
Please note that you should also make sure the users have the correct filesystem permissions to keep them contained in a folder as well.
Related videos on Youtube
Tomáš Johnbík
Updated on September 18, 2022Comments
-
Tomáš Johnbík over 1 year
I am working with OpenSSH downloaded from https://github.com/PowerShell/Win32-OpenSSH/releases.
My goal here is to setup an ssh server that allows sftp files transfer without ssh access. According to the official documentation provided by OpenSSH, this should be supported on Windows since version 7.7. was released and the restriction should be set up in sshd_config and I tried to play with this file for a while, but I wasn't able to restrict myself to be able to only access the subfolders, this is what I have in my config file added:
Subsystem sftp sftp-server.exe ForceCommand internal-sftp ChrootDirectory c:\users\myusername AllowTcpForwarding no PermitTunnel no GatewayPorts no
Can anyone tell me why this is not working? Or I cannot setup SFTP access only like this?
Another option would be to disable SSH connection. How do I achieve that with OpenSSh in Windows?
-
Ramhound almost 4 yearsThe OpenSSH Windows feature does not support everything that OpenSSH supports However, your question isn't clear, so I am having difficulty understanding your question. Please edit your question instead of replying with a comment.
-
Cpt.Whale almost 4 yearsPlease clarify what you currently can do that you don't want sftp clients doing. Viewing files in other folders? Connecting to SSH?
-
Tomáš Johnbík almost 4 years@user19702 please view my edited question. Thank you.
-
-
Tomáš Johnbík almost 4 yearsMy question might be very unfortunate. The ultimate goal, to which I would like to get to, is to disable ssh connection, so I can't connect using ssh and putty, but at the same time I would like to have sftp access, so I can transfer files to my remote server. Since I won't be the only one using this option and it is very hard to change the directories structure on the remote system, I would prefer if this could be done without creating new folder with special permissions and adding current users to a special group with those permissions. Do you think this could be achieve?
-
Cpt.Whale almost 4 yearsI quoted the user, but you can use
Subsystem sftp-server.exe -d "C:\users\myusername"
in your sshd_config instead. chroot + running sftp with-d
(directory) should get you what you need I think. Please add an example of you doing a command that should not be working to clarify more -
Tomáš Johnbík almost 4 yearsIn the end I found the issue. I was correcting a wrong config file. What you suggested, works. Thank you.
-
Toto over 2 yearsCode without any explanation is useless. Can you elaborate on this a little more?