Join Log in
Score:0
nick519 avatar Server

How to allow some SFTP users SSH access as well?

mt flag
nick519

I'm deploying a SFTP server for a team, but some of those users also need SSH access as well to administer the server.

PAM is sssd with our AD. So i can't create separate local users for them to use for SSH, or create separate AD accounts just for SSH access.

Currently, I have this:

Match group server_ftp-only
ChrootDirectory /shared
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

If i remove ForceCommand internal-sftp that will allow users to both SFTP and SSH, but I don't want all users to SFTP, only a couple of users.

I tried adding this:

Match group server_admins
AllowUsers *

But it doesn't work. It appears that the original Match group overrides this second Match group.

One possible solution would be to remove the SSH users from the server_ftp-only security group and into server_admins group, then create a Match group server_admins without ForceCommand internal-sftp, but the server_ftp-only group is populated by team groups (Team-A > server_ftp-only). I really can't create additional groups and separate these users from their team groups.

1222
1 + 1
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
*I really can't create additional groups and separate these users from their team groups* — which means, you don't control your environment? Then you have to explain to those who controls it that they must change the users membership. Or list each user individually within each `Match` statement, instead matching by group (which is cumbersome to maintain and, honestly, wrong).
0
Reply
Score:0
diya avatar Server
la flag
diya

Your problem is partly that there is, as far as I know, no way to use a conditional Match block to unset the ForceCommand when that is set as a global default or set by another Match conditional.

So you can't do:

# /etc/ssh/sshd_config
    # global config ...

    # Enable the internal SFTP server and restrict all users to only SFTP
 
    Subsystem sftp internal-sftp
    ForceCommand internal-sftp
    ChrootDirectory /shared
    
    # ... 
    
    # Override and remove the ForceCommand sftp-only restriction 
    # for users in the server_admins group 
    
    Match group server_admins
        ChrootDirectory none   <=== this does exist
        ForceCommand    none   <=== this does NOT exist

You solve that by implementing a different strategy: don't set the ForceCommand as default, keep the defaults somehwat relaxed and then create a slightly more complicated Match block with a negated pattern to make it apply to everybody (*), except the members of server_admins and there you override the defaults and add restrictions :

# /etc/ssh/sshd_config
# ... 
# your current global config
#
# Enable the internal sftp server but do not set the ForceCommand 

Subsystem sftp internal-sftp

# ... 

# Everybody except members of the server_admins group are restricted to SFTP

Match group !server_admins,* 
    ForceCommand internal-sftp
    ChrootDirectory /shared
    X11Forwarding no
    AllowTcpForwarding no

And similar to match the members of server_ftp-only that are not also a member of server_admins

Match group !server_admins,server_ftp-only 
    ForceCommand internal-sftp
    ...
+ 2
nick519 avatar
mt flag
nick519
Fantastic! That works just as expected!
0
Reply
diya avatar
la flag
diya
That's great see. In addition please when you want to say "thank you," [vote up](http://serverfault.com/help/privileges/vote-up) that person's answer, or simply pay it forward by providing a great answer to someone else's question. - See [this FAQ page](http://serverfault.com/help/someone-answers) with regards to the etiquette on ServerFault and related sites. - (Since this is an Answer to a Question you yourself asked then you additionally have the option to "accept" it as the correct answer.)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.