A few days ago I’ve tried to figure out, if it’s possible to chroot-restrict sftp only access to some files for particuler user account, while allowing for full shell ssh login with no chroot restrictions from some company internal ip addresses for this same unix account.
It is indeed possible, here is the sample config, where we enable full shell access for user “user1” from internal trusted IP addresses 10.0.0.1, 192.168.3.6 and 10.0.8.0/24 subnet, while access with this same account from any other IP address is chrooted, disabling TCP and X11 forwarding and login is also permitted with password in addition to private/pubic key authorization.
As usual, for chrooted access to work, /home/user1homedir must be root-owned and have proper permissions.
# extract from main sshd_config file
PasswordAuthentication no
AllowTcpForwarding yes
Subsystem sftp internal-sftp
# restrictions for unix account "user1" from all IP addresses except
10.0.0.1, 192.168.3.6 and 10.0.8.0/24
Match User user1 Address *,!10.0.0.1,!192.168.3.6,!10.0.8.0/24
PasswordAuthentication yes
AllowTcpForwarding no
X11Forwarding no
ChrootDirectory /home/user1homedir
ForceCommand internal-sftp
