My objective is to allow a given Active Directory group members to use OpenSSH SFTP in chroot, and deny access to SSH for them and all others that aren't members of that group, while still allowing local (non-AD) system accounts.
I've already configured sshd_config to use Kerberos to get Active Directory info and that part is already working.

The problem is: while it works the intended way for the group I wish to give access (allow sftp, deny ssh), all other AD accounts can both open a SSH shell and non-chroot SFTP, which is of course, undesired.

Summing up, I needed to:

  • grant chroot'ed SFTP access to an Active Directory group; deny SSH for them.
  • deny both SFTP and SSH for non-members of that group.
  • keep access rights to local system accounts.

I'm using Fedora 32 with OpenSSH_8.3p1, and my config follows (non-commented out lines).


Include /etc/ssh/sshd_config.d/*.conf
HostbasedAuthentication no
KerberosAuthentication yes
Subsystem       sftp   internal-sftp
Match Group sftp_users
        ChrootDirectory /sftp/%u
        ForceCommand internal-sftp
        X11Forwarding no
        AllowTcpForwarding no
        PermitTTY no


PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
PrintMotd no

Thanks in advance!

  • 55
  • 1
  • 1
  • 6

2 Answers2


You need to use ad_access_filter in SSSD to filter which AD user gets access to the server. The syntax is something like:

ad_access_filter=(&(memberof=cn=sftp_user,ou=groups,dc=example,dc=com)(other membership criteria))

  • 305
  • 1
  • 8

I may have found the answer to my own question after some trial and errors. I just would like to know from you guys if this solution could have any known implications.

So, I changed sshd_config to look like this (omiting the rest):

Match Group !wheel,*
        ChrootDirectory /sftp/%u
        ForceCommand internal-sftp
        X11Forwarding no
        AllowTcpForwarding no
        PermitTTY no
        AllowGroups sftp_users

Match Group wheel

The first Match block forces not to match the group wheel (with !), and match any other group with *. Then AllowGroups defines a space delimited list of the groups allowed to use the SFTP. These groups' members won't have access to the SSH shell. In my test I could see they were successfully chroot'ed.

Then in the second Match block the group wheel is defined the default sshd options by putting nothing else in the block. So wheel members will have unrestricted access to both SSH and SFTP. They didn't fall in the chroot.

I chose the group wheel because it's the sudoers group on Fedora based systems, so for me these local system users would be enough (remember that root user doesn't belong to it; beware not to lock yourself out!).

Then I could see that only the desired AD group members could log into the SFTP. Non-members would generate logs like these:

User john from not allowed because none of user's groups are listed in AllowGroups

What I haven't tested (only because it won't be my case):

  • What would happen to users that belong to both allowed and disallowed groups.
  • What would happen to identical system and Active Directory names (I'm guessing nsswitch.conf order would play a role here).
  • 55
  • 1
  • 1
  • 6