Restricting SFTP users (OpenSSH-based) to a custom port only

Question

I understand that there have been tons of other threads on the Internet on allowing OpenSSH SFTP connections on a custom port. I've hit them, not all, but a lot. And have not been able to make it work in my specific case :)

Here's what I've been struggling with:

• CentOS Linux release 7.6.1810 (Core), on AWS
• OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
• Requirements:
  • Only 1 sshd instance allowed
  • Port 22: SSH
  • Port 2222: SFTP
  • Chrooted SFTP users

• At the top of /etc/ssh/sshd_config I have:

  Port 22
  Port 2222
  

• SFTP server configured using johanmeiring's Ansible role ansible-sftp

  • I then modified /etc/ssh/sshd_config to change this Match line from:

    Match Group sftpusers
    

    to:

    Match Group sftpusers LocalPort 2222
    

    in hope that users of the group sftpusers will *only* be able to SFTP-connect via port 2222

  • This is more of /etc/ssh/sshd_config that I think is relevant:

    Port 22
    Port 2222
    ...
    Subsystem sftp internal-sftp -f AUTH -l VERBOSE
    ...
    Match Group sftpusers LocalPort 2222
        ChrootDirectory %h
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp
        PasswordAuthentication no
    

What really happened is SFTP users are able connect via both ports 22 and 2222. To make it worse, when connecting via port 22, SFTP users are not chrooted at all (they're able to cd freely). All of this is not expected.

How do I achieve chrooted SFTP users, restricted to port 2222, based on OpenSSH, while letting SSH function normally?

Thank you.

Answer 1

Try to add another match group and deny access to the group.

Match Group sftpusers LocalPort 22
    DenyGroups sftpusers

Would work.