openssh, permitting some users to use sftp with passwords and limited privileges

ssh

I see these immediate issues:

  • The order of directives. Try putting the Match Group sftp_users at the very end of the file /etc/ssh/sshd_server instead of a file in the sshd_server.d. This is because the last AuthenticationMethods seems to win.
  • The AuthenticationMethods should contain password. This is apparently what allows the password login.
  • When using the ChrootDirectory directive, you also have to use the following line within your Match Group sftp_users block: 
    ForceCommand internal-sftp
    This is because the /sftp-incoming becomes the actual root of the file system to all commands. By default, the SSH server attempts to run a binary such as /usr/lib/openssh/sftp-server. From the perspective of the chroot'ed filesystem, there probably isn't any such file.

Potentially, you'll also have to run the following command to make sure that the /sftp-incoming directory cannot be accessed by 'other' (the last digit in the octal 0750):

chmod 0750 /sftp-incoming

As an experimental setup, I used the following Dockerfile:

FROM ubuntu

RUN apt-get update && \
    apt-get install -yq openssh-sftp-server openssh-server

# Create two users, first has no password, second has the password "1".
# This will also create the home directory for the sftp user.
RUN echo | adduser only-passwordless-user && \
    echo | adduser only-with-password-user --home /sftp-incoming/only-with-password-user && \
    echo only-with-password-user:1 | chpasswd && \
    addgroup sftp_users && \
    adduser only-with-password-user sftp_users

# These are needed so that sshd is happy. Otherwise,
# it likes to say “bad ownership or modes for chroot directory”
RUN mkdir -p -m0755 /var/run/sshd && \
    chown root:root /sftp-incoming && \
    chmod 0750 /sftp-incoming

RUN echo AuthenticationMethods publickey >> /etc/ssh/sshd_config && \
    printf "Match Group sftp_users                                \n\
            ForceCommand internal-sftp                            \n\
            X11Forwarding no                                      \n\
            AllowTcpForwarding no                                 \n\
            AuthorizedKeysCommand /bin/true                       \n\
            AuthenticationMethods keyboard-interactive password   \n\
            PasswordAuthentication yes                            \n\
            ChrootDirectory /sftp-incoming                        \n\
           " >> /etc/ssh/sshd_config  # cannot be ".d/sftp_users.conf"

# Start a single-connection debug server.
# Remove the -d parameter to make it long-lived but quiet.
ENTRYPOINT /usr/sbin/sshd -d

You can start a sshd running on port 2200 using this command:

docker build . -t ssh-test && docker run -it --name ssh-test -p2200:22 --rm ssh-test bash

To connect to it using sftp, run this:

sshpass -p1 sftp -P 2200 [email protected]

Related

LDIF: Modify attr if exists; Add if not exists
Is there a low-cost way to track requests from/to AWS resources?
Should I be concerned about attackers spraying for vulnerabilities on our webserver?
sudoers config to allow edit of files in particular directory (and children)
UPS battery sulfuric acid fumes?
install msmtp amazon linux
Cannot connect from Compute Engine instance to Cloud SQL via Private IP
Can't see progress of rolling back SPID with KILL WITH STATUSONLY
Monitor SQL statements in DB2
openstack using name instead of id
Why does this loopback device creation malfunction?
Howto verify if Storage Spaces uses Journal disks