chroot-restrict sftp only access and full shell ssh login with no chroot restrictions for the same unix account HOWTO - Nethemba

BLOG

chroot-restrict sftp only access and full shell ssh login with no chroot restrictions for the same unix account HOWTO

2012-02-25 12:20 Pavol Lupták

A few days ago I’ve tried to figure out, if it’s possible to chroot-restrict sftp only access to some files for particuler user account, while allowing for full shell ssh login with no chroot restrictions from some company internal ip addresses for this same unix account.
It is indeed possible, here is the sample config, where we enable full  shell access for user “user1” from internal trusted IP addresses 10.0.0.1, 192.168.3.6 and 10.0.8.0/24 subnet, while access with this same account from any other IP address is chrooted, disabling TCP and X11 forwarding and login is also permitted with password in addition to private/pubic key authorization.
As usual, for chrooted access to work, /home/user1homedir must be root-owned and have proper permissions.

# extract from main sshd_config file                                          
PasswordAuthentication no                                                     
AllowTcpForwarding yes                                                        
Subsystem sftp internal-sftp                                                   

# restrictions for unix account "user1" from all IP addresses except          
10.0.0.1, 192.168.3.6 and 10.0.8.0/24                                         
Match User user1 Address *,!10.0.0.1,!192.168.3.6,!10.0.8.0/24                
    PasswordAuthentication yes                                                
    AllowTcpForwarding no                                                     
    X11Forwarding no                                                          
    ChrootDirectory /home/user1homedir                                        
    ForceCommand internal-sftp