Scenario: Same users can connect from two different network segments to a ssh host. But they should not be able to use interactive ssh session when connecting from one (it's actually long-distance tunnels), only chrooted sftp should be allowed.
How can it be achieved? Is this achievable by sshd's settings? Or by tcp wrapper (libwrap) + sshd?
You can use the Match directive at the bottom of your sshd_config configuration file to override global settings based on, among others, the Address users connect from.
That allows you to set a plethora of specific settings differently for specific users/groups/clients.
# /etc/ssh/sshd_config
# ...
# your current global config
#
# Enable the internal sftp server
Subsystem sftp internal-sftp
# ...
# Override for users connecting from the 192.0.2.0/24 subnet
# They're only allowed to use sftp to their %h home directory
Match Address 192.0.2.0/24
ForceCommand internal-sftp
ChrootDirectory %h
See this Q&A for background on the internal-sftp server.
