I understand that there have been tons of other threads on the Internet on allowing OpenSSH SFTP connections on a custom port. I've hit them, not all, but a lot. And have not been able to make it work in my specific case 🙂
Here's what I've been struggling with:
- CentOS Linux release 7.6.1810 (Core), on AWS
- OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
- Requirements:
- Only 1
sshdinstance allowed - Port 22: SSH
- Port 2222: SFTP
- Chrooted SFTP users
- Only 1
-
At the top of
/etc/ssh/sshd_configI have:Port 22 Port 2222 -
SFTP server configured using
johanmeiring's Ansible role ansible-sftp-
I then modified
/etc/ssh/sshd_configto change thisMatchline from:Match Group sftpusersto:
Match Group sftpusers LocalPort 2222in hope that users of the group
sftpuserswill *only* be able to SFTP-connect via port 2222 -
This is more of
/etc/ssh/sshd_configthat I think is relevant:Port 22 Port 2222 ... Subsystem sftp internal-sftp -f AUTH -l VERBOSE ... Match Group sftpusers LocalPort 2222 ChrootDirectory %h AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp PasswordAuthentication no
-
What really happened is SFTP users are able connect via both ports 22 and 2222. To make it worse, when connecting via port 22, SFTP users are not chrooted at all (they're able to cd freely). All of this is not expected.
How do I achieve chrooted SFTP users, restricted to port 2222, based on OpenSSH, while letting SSH function normally?
Thank you.
Best Answer
Try to add another match group and deny access to the group.
Would work.