I understand that there have been tons of other threads on the Internet on allowing OpenSSH SFTP connections on a custom port. I've hit them, not all, but a lot. And have not been able to make it work in my specific case 🙂
Here's what I've been struggling with:
- CentOS Linux release 7.6.1810 (Core), on AWS
- OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
- Requirements:
- Only 1
sshd
instance allowed - Port 22: SSH
- Port 2222: SFTP
- Chrooted SFTP users
- Only 1
-
At the top of
/etc/ssh/sshd_config
I have:Port 22 Port 2222
-
SFTP server configured using
johanmeiring
's Ansible role ansible-sftp-
I then modified
/etc/ssh/sshd_config
to change thisMatch
line from:Match Group sftpusers
to:
Match Group sftpusers LocalPort 2222
in hope that users of the group
sftpusers
will *only* be able to SFTP-connect via port 2222 -
This is more of
/etc/ssh/sshd_config
that I think is relevant:Port 22 Port 2222 ... Subsystem sftp internal-sftp -f AUTH -l VERBOSE ... Match Group sftpusers LocalPort 2222 ChrootDirectory %h AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp PasswordAuthentication no
-
What really happened is SFTP users are able connect via both ports 22 and 2222. To make it worse, when connecting via port 22, SFTP users are not chrooted at all (they're able to cd
freely). All of this is not expected.
How do I achieve chrooted SFTP users, restricted to port 2222, based on OpenSSH, while letting SSH function normally?
Thank you.
Best Answer
Try to add another match group and deny access to the group.
Would work.