SSH : Restrict sftp to a directory without jailing shell

Question

For a user group I'd like to:

Restrict SFTP access to a given directory
Use a custom shell for TTY which takes care of only exposing what needs to be exposed from the system but that still need access to the entire root file system

So ultimately I'd like to perform and ChrootDirectory only for users from a certain group but also connected over a sftp session and avoid doing a ChrootDirectory for users connected over a TTY session. Can it be done through sshd_config?

Thanks

I dont think this is possible without connecting on differnt ports / differnt users — exussum, Dec 15 '13 at 16:33

score 1 · Answer 1 · answered Dec 15 '13 at 18:06

1

Do you need shell access?

If not then take a look at an sftponly setup. It is configurable per user or per group and uses chown to restrict sftp access to one directory.

answered Dec 15 '13 at 18:06

mschuett

3,146
21
21

Yes shell access is required. The idea is to have a limited functionality command line interface (custom, obviously not sh or bash) with full access to the file system underneath. This is not possible after the ChrootDirectory. Yet when the same user launch a sftp session I'd like to limit its access to a given directory (I don't believe there's a clean way to do that besides using ChrootDirectory) – user3101309 Dec 15 '13 at 21:37

SSH : Restrict sftp to a directory without jailing shell

1 Answers1