I'm setting up a Windows Server 2019-based web server. One of our vendors needs to be able to upload files. I have
- Added sshd
- Created a login for them to use
- Created a group for that login
- Added that login to the group, and removed the login from all other groups
- Created an upload directory
- Given the group Write and Modify permissions in that directory
- Added the line
ForceCommand internal-sftp -d "C:\inetpub\ftproot\Upload" to a Match directive for that group in sshd_config
So far, so good. That login can connect to the box via SFTP, and the session automatically begins in the directory Upload, and it can upload and download files from there. But I cannot figure out how to prevent it from seeing the contents of other directories. Just removing the login from the group Users had no effect. Denying the group Read and List in the enclosing ftproot directory results in being unable to connnect (with an authentication failure). The only suggestion I have found in an hour of Google searching is to set a value for ChrootDirectory, but that results in no login being able to connect by SFTP or SSH (with apparent failures of the service to respond). I am pretty new to Windows server, and I'm out of ideas. There must obviously be a right way to do this - can someone point me in the right direction?
[Update]
This box is running OpenSSH 7.7:
> ssh -V
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
When I add this line to the Match directive for the sftp group:
ChrootDirectory "C:\inetpub\ftproot\Upload"
and then attempt to connect as any user, whether or not in that group, this is what appears in sshd.log (obviously the pid, port, and timestamp will vary):
3332 2021-08-17 12:04:24.931 Failed password for invalid user sftpuser from XX.XX.XX.XX port 34240 ssh2
