9

Is it possible to separate SSH and SFTP?

For example, have SFTP listening on port 22 and SSH on port 2222?

I have separated list of SFTP and SSH users, the goal is to allow SFTP users to connect on port 22, and make SSH listening on higher port such as 2222.

As both are essentially part of SSH I could not find a way to achieve this.

Thanks in advance!

Igor
  • 309
  • 1
  • 7
  • 17
  • This may be useful http://serverfault.com/questions/74176/what-port-does-sftp-use. As it runs using ssh then no they cannot be on different ports. – 123 May 09 '16 at 09:01

3 Answers3

9

The other questions are correct, but you can set up the single instance of openSSH to listen on both ports and handle SFTP connection on one and SSH connections on the other:

Port 22
Port 2222
Subsystem sftp internal-sftp
Match LocalPort 22
    ChrootDirectory /sftp/root/dir
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp
Jakuje
  • 24,773
  • 12
  • 69
  • 75
  • 1
    Thanks for the response - this solution means that users will still be able to connect via port 22 to the SSH server? – Igor May 09 '16 at 16:11
  • 1
    That's what I am trying to avoid :) Basically, the goal is to separate SSH and SFTP. Goal is to have SSH server listening on some higher port only (such as 2222) and have SFTP server listening on 22 only, without SSH on port 22. – Igor May 10 '16 at 08:45
  • Oh .. I miss-read your comment. If you specify `ForceCommand`, normal `ssh` will not be possible. – Jakuje May 10 '16 at 09:25
  • Thanks! It is working with "Match LocalPort 22" and "ForceCommand". The only thing which I could not get working is to allow only certain group for SFTP. Prior to this change, I did it by "Match Group sftpusers" but I could not use it with "Match LocalPort 22". Do you have any experience with combining multiple conditions with "Match"? – Igor May 18 '16 at 12:52
  • 2
    @Igor You can use several keywords in the `Match` block, for example `Match LocalPort 22 Group sftpusers` – Jakuje May 18 '16 at 14:31
  • On Ubuntu 18.04 with open SSH 7.6p1, this results in an error: ` Directive 'Subsystem' is not allowed within a Match block.` – Mark Stosberg Mar 28 '18 at 17:59
  • 1
    @MarkStosberg yes, that is a mistake. The `Subsystem` needs to be outside of the Match block. I will edit the answer. But that is not changing anything on the functionality of this solution. – Jakuje Mar 28 '18 at 18:38
  • My solution was to immediately add "Match username LocalPort 22" with DenyUsers username. This will allow user sftp on port 2222 but deny them on port 22 – ggedde Apr 20 '22 at 23:57
4

Adding a second instance running on a separate port definitely works, but then you have to deal with telling users to use another port - which they won't. You can also use match user and match group lines to force users and or groups to be sftp-only.

In sshd-config, you can do something like

Subsystem sftp internal-sftp
...
Match Group sftponly
        ChrootDirectory /sftp/root/dir
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

See also Linux shell to restrict sftp users to their home directories?

Community
  • 1
  • 1
Andrew Henle
  • 32,625
  • 3
  • 24
  • 56
  • This works, but if there is a bug with SSH logins, it is still publicly exposed. By splitting the ports, you can for example make SFTP publicly available, but have SSH run on a non-public port, perhaps only accessed through a bastion. This can also help with compliance with a policy that SSH is never directly exposed. – Mark Stosberg Mar 26 '18 at 20:12
0

You can do this by:

  1. creating a second/separate SSH service (this will be done differently depending on the init system you're using);

  2. and configuring it to only allow SFTP. You might want to chroot the SFTP service in order to prevent some tricks which could be used by the user to get a shell back.

Community
  • 1
  • 1
ysdx
  • 8,889
  • 1
  • 38
  • 51