1

We have a webserver where users are allowed to upload (SFTP) large files in a chroot environment. We also want to be able to use SSH to manage this server.

In our old situation we used the system sshd and a chroot environment with a seperate sshd running inside. I hoped I could simplify the configuration with the 'new' ChrootDirectory option.

Our server has two IP addresses, one for public access and one for internal access. Is it possible for a single sshd to listen to two seperate IPs/interfaces but treat them differently? In all the documentation I have read it seems like it is only possible to distinguish between users or groups, but not IPs/interfaces.

If this is not possible, is the dual sshd setup the best option, should I do beter User Management to filter them by Group or is there a more elegant way to setup a server like this?

Jorisslob
  • 45
  • 1
  • 6

3 Answers3

3

You could use Match in a reverse way. Chroot by default and then negate the directive if connecting from the internal network.

ChrootDirectory /chroot/somedir
Match Address 10.0.0.0/24
    ChrootDirectory none

However you should consider the implications of placing security decisions upon the networks. Including the possibility of an authenticated user creating a new session over loopback, to bypass such policies. Generally it would be safer to define User and Group if possible.

(edit: typed before reading properly)

Dan Carley
  • 25,189
  • 5
  • 52
  • 70
2

The solution that I used in the end is the following:

Subsystem sftp internal-sftp
ChrootDirectory <my chroot directory>
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Match User <my admin account> Address <my ip>
  ChrootDirectory none
  X11Forwarding yes
  AllowTcpForwarding yes
  ForceCommand /bin/bash

Match User <my admin account>
  ForceCommand none

So it is a mix of the answers I saw before, and I made two Match blocks, so that people from other IPs, but trying to use my admin account won't be able to use sftp or ssh. I will be monitoring the activity on the server closely to see if this works out, but internal tests look promising.

Jorisslob
  • 45
  • 1
  • 6
1

I created a group called sftpuplod. Every customer without ssh-access is in this group an just can use sftp:

# sshd_config:
Subsystem sftp internal-sftp
Match group sftpupload
    ChrootDirectory /home
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

You also can use ChrootDirectory %h for real chrooting in ~

see the manual page

ThorstenS
  • 3,084
  • 18
  • 21