Using SFTP with SSH ForceCommand Directive – Configuration Guide

serversftpssh

I have set up an SSH server (call it group2.fqdn) with this ForceCommand directive:

Match Group group1
       ForceCommand ssh -t group1.fqdn

Match Group="*,!local,!group2,!root"
       ForceCommand ssh -t group3.fqdn

This breaks sftp for users not in group2. How can I modify this so that sftp works?

Thus: user1 of group1 does:

sftp group2.fqdn

and they (perhaps having to enter passwords twice) are then actually doing sftp to group1.fqdn. Can this be done?

Context:
In our lab, we have a few Ubuntu servers for each group, but only one is allowed external access, so all groups had to login to one group's server, and all but one then are forced to SSH into another server. We used to do this with a custom shell, but I'm trying to use available server options instead of hacks. The custom shell variant didn't allow SFTP, and this doesn't either, but I'd like to somehow get SFTP to work for all these servers.

Best Answer

The trick to getting SFTP working is to pass on the SSH command received from the client as-is to the server. I discovered this while testing out what happens when you do scp or sftp for a question on Unix & Linux.

Now, my configuration looks like:

Match Group group1
       ForceCommand /usr/local/bin/ssh_wrapper group1

Match Group="*,!local,!group2,!root"
       ForceCommand /usr/local/bin/ssh_wrapper group3

Where /usr/local/bin/ssh_wrapper is:

#! /bin/sh

/usr/bin/ssh -t -o StrictHostKeyChecking=no $USER@${1:-default}.fqdn $SSH_ORIGINAL_COMMAND

From a couple of quick tests, sftp and scp work fine with this configuration.

Related Solutions

Ubuntu – Setting up ssh and sftp for multiple users

I wrote an article about that some time ago: http://en.positon.org/post/SFTP-chroot-rsync

I think what you need in /etc/ssh/sshd_config is:

# we use openssh internal sftp
# because /usr/lib/openssh/sftp-server won't be available in chroot
Subsystem sftp internal-sftp

Match group sftp
        ChrootDirectory %h
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

You can change the ChrootDirectory to your need, however, the chroot directory have to be owned by root and not writeable by the users. This is a security restriction from the OpenSSH developers.

Also, carefully check /var/log/auth.log for SSH connections problems.

Ubuntu – Git and SFTP – How to separate them

Updated post:

Using the following ForceCommand in sshd_config for your (otherwise normal) user should work:

ForceCommand /usr/bin/git-shell -c "$SSH_ORIGINAL_COMMAND"

This magic little command was originally found here. Note that the user's shell must be a normal fully featured shell in order for this to work properly.

Reason for edit:

I just realized my initial answer didn't actually work for me (so embarrassing). Sure it disables SFTP, but it seems to prevent git from working properly as well!

Original post:

Try using a ForceCommand, and use the git-shell for the command as well. ForceCommand disables sftp unless set to internal-sftp. - muru

Just decided to quote muru's comment so that others might benefit from it. It works like a charm.

I was having the exact same issue, and almost missed this gem since it was in the comments instead of posted as an answer.

Best Answer

Related Solutions

Ubuntu – Setting up ssh and sftp for multiple users

Ubuntu – Git and SFTP – How to separate them

Related Question