Trying to set up a highly restricted SFTP server with OpenSSH_7.4p1 for remote scripts to upload data. The goal is a black hole where the scripts can do a "put" with user level keys and no other server commands are possible. Everything worked fine until the final step where I tried to the limit the sftp
command set using -P
and -p
options in this sshd_config
Match
clause:
Match user globalstat
ChrootDirectory /inbound
ForceCommand internal-sftp -d data -p put -P df,pwd,rm,mkdir,rmdir,get,rename,symlink
Tried a variety of combinations, but -P
for denied_requests
never blocks any of the specified remote commands. Applying allowed_requests
with -p put
or put,cd
breaks the transfer and returns "Couldn't canonicalise: Permission denied Need cwd". Without -P
or -p
, there is no problem with the writes, and based on other postings for this error, I'm pretty sure my directory permissions are correct. I've been using this man page for a reference:
https://www.man7.org/linux/man-pages/man8/sftp-server.8.html
It implies that Subsystem
rather than ForceCommand
is the place for these options, but they don't work in the main body of sshd_config
and restarting sshd throws an error if Subsystem
is used in a Match
clause instead of ForceCommand
.
I really hope it's possible to get this working and any suggestions would be greatly appreciated.