0

I am setting up a restricted sftp user with chroot, the standard procedure works fine for me, however I have existing users using sftp on the same server, and that's why I don't want to take a risk and change the default Subsystem "sftp-server" with "internal-sftp" for all users, I am wondering if skipping this step (step1 below) and only using the "ForceCommand internal-sftp" in the "Match User" block is enough (step2)? I already did some tests and it is looking fine, is there something I am missing?

This is the start of the procedure that I am following:

1 - Edit sshd_config. Comment the original "Subsystem" entry for sftp
    and replace it with the "internal-sftp" entry:

vi /etc/ssh/sshd_config


#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp


2 - Add the following to the end of the /etc/ssh/sshd_config file:


Match User user99
        ChrootDirectory /chroots/%u
        AllowTcpForwarding no
        ForceCommand internal-sftp
        X11Forwarding no

Thanks for your time.

LAHOUEL Youssouf
  • 3
  • 3

1 Answers1

0

Your ForceCommand internal-sftp is sufficient to mandate the use of the internal sftp server in OpenSSH. In a Match User it only applies to that user. Note that Match Group is also an option, if a group that could match multiple users is desired.

Subsystem does not matter in this case. It may be there as an example that sftp-server program is an alternative, or it might be someone understandably confused at this subtle difference of implementation choice.

With a new enough OpenSSH, my preference would be to use drop-in files, perhaps Include /etc/ssh/sshd_config.d/*.conf Install /etc/ssh/sshd_config.d/chroot.conf or whatever, containing with just the Match blocks defining the chroots.

John Mahowald
  • 36,071