I have set up an SSH server (call it group2.fqdn
) with this ForceCommand
directive:
Match Group group1
ForceCommand ssh -t group1.fqdn
Match Group="*,!local,!group2,!root"
ForceCommand ssh -t group3.fqdn
This breaks sftp
for users not in group2
. How can I modify this so that sftp
works?
Thus: user1
of group1
does:
sftp group2.fqdn
and they (perhaps having to enter passwords twice) are then actually doing sftp
to group1.fqdn
. Can this be done?
Context:
In our lab, we have a few Ubuntu servers for each group, but only one is allowed external access, so all groups had to login to one group's server, and all but one then are forced to SSH into another server. We used to do this with a custom shell, but I'm trying to use available server options instead of hacks. The custom shell variant didn't allow SFTP, and this doesn't either, but I'd like to somehow get SFTP to work for all these servers.
Best Answer
The trick to getting SFTP working is to pass on the SSH command received from the client as-is to the server. I discovered this while testing out what happens when you do
scp
orsftp
for a question on Unix & Linux.Now, my configuration looks like:
Where
/usr/local/bin/ssh_wrapper
is:From a couple of quick tests,
sftp
andscp
work fine with this configuration.