A few days ago I’ve tried to figure out, if it’s possible to chroot-restrict sftp only access to some files for particuler user account, while allowing for full shell ssh login with no chroot restrictions from some company internal ip addresses for this same unix account.
\nIt is indeed possible, here is the sample config, where we enable full\u00a0 shell access for user „user1“ from internal trusted IP addresses 10.0.0.1, 192.168.3.6 and 10.0.8.0\/24 subnet, while access with this same account from any other IP address is chrooted, disabling TCP and X11 forwarding and login is also permitted with password in addition to private\/pubic key authorization.
\nAs usual, for chrooted access to work, \/home\/user1homedir must be root-owned and have proper permissions.<\/p>\n
# extract from main sshd_config file \r\nPasswordAuthentication no \r\nAllowTcpForwarding yes \r\nSubsystem sftp internal-sftp \r\n\r\n# restrictions for unix account \"user1\" from all IP addresses except \r\n10.0.0.1, 192.168.3.6 and 10.0.8.0\/24 \r\nMatch User user1 Address *,!10.0.0.1,!192.168.3.6,!10.0.8.0\/24 \r\n PasswordAuthentication yes \r\n AllowTcpForwarding no \r\n X11Forwarding no \r\n ChrootDirectory \/home\/user1homedir \r\n ForceCommand internal-sftp<\/pre>\n<\/p>\n","protected":false},"excerpt":{"rendered":"
A few days ago I’ve tried to figure out, if it’s possible to chroot-restrict sftp only access to some files for particuler user account, while allowing for full shell ssh login with no chroot restrictions from some company internal ip addresses for this same unix account. It is indeed possible, here is the sample config, […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[12],"tags":[838,839,840,841,842],"class_list":["post-1379","post","type-post","status-publish","format-standard","hentry","category-uncategorized-cs","tag-chroot-cs","tag-ip-restriction-cs","tag-match-user-cs","tag-ssh-cs","tag-sshd_config-cs"],"yoast_head":"\n
chroot-restrict sftp only access and full shell ssh login with no chroot restrictions for the same unix account HOWTO - Nethemba<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/\" \/>\n<meta property=\"og:locale\" content=\"cs_CZ\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"chroot-restrict sftp only access and full shell ssh login with no chroot restrictions for the same unix account HOWTO - Nethemba\" \/>\n<meta property=\"og:description\" content=\"A few days ago I’ve tried to figure out, if it’s possible to chroot-restrict sftp only access to some files for particuler user account, while allowing for full shell ssh login with no chroot restrictions from some company internal ip addresses for this same unix account. It is indeed possible, here is the sample config, […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/\" \/>\n<meta property=\"og:site_name\" content=\"Nethemba\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/nethemba\" \/>\n<meta property=\"article:published_time\" content=\"2012-02-25T12:20:36+00:00\" \/>\n<meta name=\"author\" content=\"Pavol Lupt\u00e1k\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@nethemba\" \/>\n<meta name=\"twitter:site\" content=\"@nethemba\" \/>\n<meta name=\"twitter:label1\" content=\"Napsal(a)\" \/>\n\t<meta name=\"twitter:data1\" content=\"Pavol Lupt\u00e1k\" \/>\n\t<meta name=\"twitter:label2\" content=\"Odhadovan\u00e1 doba \u010dten\u00ed\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minuta\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/\"},\"author\":{\"name\":\"Pavol Lupt\u00e1k\",\"@id\":\"https:\/\/nethemba.com\/de\/#\/schema\/person\/5f4ba68c8e1a2013d30e0804245b8234\"},\"headline\":\"chroot-restrict sftp only access and full shell ssh login with no chroot restrictions for the same unix account HOWTO\",\"datePublished\":\"2012-02-25T12:20:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/\"},\"wordCount\":142,\"commentCount\":0,\"keywords\":[\"chroot\",\"ip restriction\",\"match user\",\"ssh\",\"sshd_config\"],\"articleSection\":[\"Uncategorized @cs\"],\"inLanguage\":\"cs\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/\",\"url\":\"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/\",\"name\":\"chroot-restrict sftp only access and full shell ssh login with no chroot restrictions for the same unix account HOWTO - Nethemba\",\"isPartOf\":{\"@id\":\"https:\/\/nethemba.com\/de\/#website\"},\"datePublished\":\"2012-02-25T12:20:36+00:00\",\"author\":{\"@id\":\"https:\/\/nethemba.com\/de\/#\/schema\/person\/5f4ba68c8e1a2013d30e0804245b8234\"},\"breadcrumb\":{\"@id\":\"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/#breadcrumb\"},\"inLanguage\":\"cs\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/nethemba.com\/cs\/home-new-2025\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"chroot-restrict sftp only access and full shell ssh login with no chroot restrictions for the same unix account HOWTO\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/nethemba.com\/de\/#website\",\"url\":\"https:\/\/nethemba.com\/de\/\",\"name\":\"Nethemba\",\"description\":\"We care about your security\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/nethemba.com\/de\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"cs\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/nethemba.com\/de\/#\/schema\/person\/5f4ba68c8e1a2013d30e0804245b8234\",\"name\":\"Pavol Lupt\u00e1k\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"cs\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/978b23022518d076eaa243b375d2e0272af4f00dd502ce79cc357276d9bc2495?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/978b23022518d076eaa243b375d2e0272af4f00dd502ce79cc357276d9bc2495?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/978b23022518d076eaa243b375d2e0272af4f00dd502ce79cc357276d9bc2495?s=96&d=mm&r=g\",\"caption\":\"Pavol Lupt\u00e1k\"},\"sameAs\":[\"https:\/\/www.nethemba.com\/\"],\"url\":\"https:\/\/nethemba.com\/cs\/author\/nethemba-admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"chroot-restrict sftp only access and full shell ssh login with no chroot restrictions for the same unix account HOWTO - Nethemba","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/","og_locale":"cs_CZ","og_type":"article","og_title":"chroot-restrict sftp only access and full shell ssh login with no chroot restrictions for the same unix account HOWTO - Nethemba","og_description":"A few days ago I’ve tried to figure out, if it’s possible to chroot-restrict sftp only access to some files for particuler user account, while allowing for full shell ssh login with no chroot restrictions from some company internal ip addresses for this same unix account. It is indeed possible, here is the sample config, […]","og_url":"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/","og_site_name":"Nethemba","article_publisher":"https:\/\/www.facebook.com\/nethemba","article_published_time":"2012-02-25T12:20:36+00:00","author":"Pavol Lupt\u00e1k","twitter_card":"summary_large_image","twitter_creator":"@nethemba","twitter_site":"@nethemba","twitter_misc":{"Napsal(a)":"Pavol Lupt\u00e1k","Odhadovan\u00e1 doba \u010dten\u00ed":"1 minuta"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/#article","isPartOf":{"@id":"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/"},"author":{"name":"Pavol Lupt\u00e1k","@id":"https:\/\/nethemba.com\/de\/#\/schema\/person\/5f4ba68c8e1a2013d30e0804245b8234"},"headline":"chroot-restrict sftp only access and full shell ssh login with no chroot restrictions for the same unix account HOWTO","datePublished":"2012-02-25T12:20:36+00:00","mainEntityOfPage":{"@id":"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/"},"wordCount":142,"commentCount":0,"keywords":["chroot","ip restriction","match user","ssh","sshd_config"],"articleSection":["Uncategorized @cs"],"inLanguage":"cs","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/","url":"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/","name":"chroot-restrict sftp only access and full shell ssh login with no chroot restrictions for the same unix account HOWTO - Nethemba","isPartOf":{"@id":"https:\/\/nethemba.com\/de\/#website"},"datePublished":"2012-02-25T12:20:36+00:00","author":{"@id":"https:\/\/nethemba.com\/de\/#\/schema\/person\/5f4ba68c8e1a2013d30e0804245b8234"},"breadcrumb":{"@id":"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/#breadcrumb"},"inLanguage":"cs","potentialAction":[{"@type":"ReadAction","target":["https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/nethemba.com\/cs\/chroot-restrict-sftp-only-access-and-full-shell-ssh-login-with-no-chroot-restrictions-for-the-same-unix-account-howto\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/nethemba.com\/cs\/home-new-2025\/"},{"@type":"ListItem","position":2,"name":"chroot-restrict sftp only access and full shell ssh login with no chroot restrictions for the same unix account HOWTO"}]},{"@type":"WebSite","@id":"https:\/\/nethemba.com\/de\/#website","url":"https:\/\/nethemba.com\/de\/","name":"Nethemba","description":"We care about your security","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/nethemba.com\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"cs"},{"@type":"Person","@id":"https:\/\/nethemba.com\/de\/#\/schema\/person\/5f4ba68c8e1a2013d30e0804245b8234","name":"Pavol Lupt\u00e1k","image":{"@type":"ImageObject","inLanguage":"cs","@id":"https:\/\/secure.gravatar.com\/avatar\/978b23022518d076eaa243b375d2e0272af4f00dd502ce79cc357276d9bc2495?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/978b23022518d076eaa243b375d2e0272af4f00dd502ce79cc357276d9bc2495?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/978b23022518d076eaa243b375d2e0272af4f00dd502ce79cc357276d9bc2495?s=96&d=mm&r=g","caption":"Pavol Lupt\u00e1k"},"sameAs":["https:\/\/www.nethemba.com\/"],"url":"https:\/\/nethemba.com\/cs\/author\/nethemba-admin\/"}]}},"_links":{"self":[{"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/posts\/1379","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/comments?post=1379"}],"version-history":[{"count":0,"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/posts\/1379\/revisions"}],"wp:attachment":[{"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/media?parent=1379"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/categories?post=1379"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/tags?post=1379"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}