1

I set up chrooted SFTP directories on a RHEL 8 server that also has several websites running on it. When I tried to ssh in this morning, the server said it only accepts SFTP connections. Fortunately, it's a VM so I can connect directly to the console.

Here's what I added to sshd_config on Friday:

ForceCommand internal-sftp
Match Group sftpusers
ChrootDirectory /sftp/%u

Commenting out the ForceCommand line gets me back in via ssh. What's the correct directive to constrain SFTP users to a directory without turning the entire server into an SFTP server?

Chris Davies
  • 116,213
  • 16
  • 160
  • 287
Chanel
  • 99

1 Answers1

3

Looking at man sshd_config, the documentation writes:

ForceCommand - Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client

By specifying ForceCommand internal-sftp you are telling sshd that every ssh connection must execute internal-sftp regardless of what the client requests or expected.

You almost certainly meant to use Subsystem, which is documented as follows:

Subsystem - Configures an external subsystem (e.g. file transfer daemon).

To correct your situation, remove the entry for ForceCommand and replace it with Subsystem. I also tend to indent commands after a Match or Host line to make it visually clearer that they apply only if the Match or Host applies.

Subsystem sftp internal-sftp

Match Group sftpusers
    ChrootDirectory /sftp/%u
Chris Davies
  • 116,213
  • 16
  • 160
  • 287