Ssh – how to set the sftp -s subsystem option in a configuration file

opensshsftpsshfssudo

The sftp command supports a subsystem option (-s) which allows the remote user to select the remote sftp-server executable, and optionally upgrade to sudo in the process like so;

sftp -s "/usr/bin/sudo /usr/libexec/openssh/sftp-server" xxx.yyy.zzz.aaa

This command defers to the ssh client options in ~/.ssh/config allowing the transparent use of pubkey and custom port and user settings.

However subsystem appears to be sftp specific, and hence it not set in the config file and it appears it has to be set as a command line option for sftp.

However some tools wrap the sftp invocation so its impossible to set the subsystem option, and hence stuck with user access.

Is there some configuration option file I can use to set this for openssh sftp generally?

is there some configuration file to effect the way gnome nautilus invokes the sftp for its file manager integration?

Update possible hacky-but-functioning solution is…

So it turns out that there is no obvious config file that sftp will use for options so I ended up modifying a generic wrapper script to add the option explicitly for my selected hosts by putting this in my path;

#!/bin/bash
#  Generic shell wrapper that performs an operation

OPERATION=/usr/bin/sftp
args=("$@")
#the final arg should contain a hostname of the form [user@]host[:path]
case "${args[@]: -1}" in
    myserver.com)
    exec $OPERATION -s "/usr/bin/sudo /usr/libexec/openssh/sftp-server" "$args"
    ;;
*)
   exec $OPERATION "$args" 
    ;;
esac

However depending on your sudoers file, usually to run sudo requires a tty, so you have to pass the "-t" option to ssh, and guess what? there is no configuration option for the ssh client command that is documented that works in the ssh_config or ~/.ssh/config files. haha.

So I write another wrapper script to provide that….

#!/bin/bash
#  Generic shell wrapper that performs an operation

OPERATION=/usr/bin/ssh
args=("$@")
#locating the hostname is not so simple with ssh
exec $OPERATION -tt "$args"

although, I am now having trouble getting the sftp to use my ~/bin/ssh wrapper file, as it appears to be hard coded into sftp and controlled by an option "-S"

Best Answer

According to the ssh_config(5) man page, you can configure the path in the sshd_config configuration file:

 Subsystem
         Configures an external subsystem (e.g. file transfer daemon).
         Arguments should be a subsystem name and a command (with optional
         arguments) to execute upon subsystem request.

So it looks as if you could simple do this:

Subsystem sftp /usr/libexec/openssh/sftp-server -s "/usr/bin/sudo /usr/libexec/openssh/sftp-server"

This configuration obviously goes on the server, not in the client configuration. Is this what you were looking for? The downside, obviously, is that every sftp connection will attempt to run with root privileges, so this will break non-root access to your files.

Related Question