SFTP to chroot and SSH to manage system in one config?
Solution 1
You could use Match
in a reverse way. Chroot by default and then negate the directive if connecting from the internal network.
ChrootDirectory /chroot/somedir
Match Address 10.0.0.0/24
ChrootDirectory none
However you should consider the implications of placing security decisions upon the networks. Including the possibility of an authenticated user creating a new session over loopback, to bypass such policies. Generally it would be safer to define User
and Group
if possible.
(edit: typed before reading properly)
Solution 2
The solution that I used in the end is the following:
Subsystem sftp internal-sftp
ChrootDirectory <my chroot directory>
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Match User <my admin account> Address <my ip>
ChrootDirectory none
X11Forwarding yes
AllowTcpForwarding yes
ForceCommand /bin/bash
Match User <my admin account>
ForceCommand none
So it is a mix of the answers I saw before, and I made two Match blocks, so that people from other IPs, but trying to use my admin account won't be able to use sftp or ssh. I will be monitoring the activity on the server closely to see if this works out, but internal tests look promising.
Solution 3
I created a group called sftpuplod. Every customer without ssh-access is in this group an just can use sftp:
# sshd_config:
Subsystem sftp internal-sftp
Match group sftpupload
ChrootDirectory /home
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
You also can use ChrootDirectory %h for real chrooting in ~
see the manual page
Related videos on Youtube
Jorisslob
Studied Physics and Media Technology in Leiden. Worked as a Python web programmer in an eXtreme Programming environment. Worked as a scientific programmer using Java at the bioinformatics department of Leiden University. Currently working at TOPdesk as a scrum master and agile guild host.
Updated on September 17, 2022Comments
-
Jorisslob almost 2 years
We have a webserver where users are allowed to upload (SFTP) large files in a chroot environment. We also want to be able to use SSH to manage this server.
In our old situation we used the system sshd and a chroot environment with a seperate sshd running inside. I hoped I could simplify the configuration with the 'new' ChrootDirectory option.
Our server has two IP addresses, one for public access and one for internal access. Is it possible for a single sshd to listen to two seperate IPs/interfaces but treat them differently? In all the documentation I have read it seems like it is only possible to distinguish between users or groups, but not IPs/interfaces.
If this is not possible, is the dual sshd setup the best option, should I do beter User Management to filter them by Group or is there a more elegant way to setup a server like this?