OpenSSH internal-sftp not accepting allowed/denied_requests

ssh security configuration sftp hardening

Trying to set up a highly restricted SFTP server with OpenSSH_7.4p1 for remote scripts to upload data. The goal is a black hole where the scripts can do a "put" with user level keys and no other server commands are possible. Everything worked fine until the final step where I tried to the limit the sftp command set using -P and -p options in this sshd_config Match clause:

Match user globalstat
    ChrootDirectory /inbound
    ForceCommand internal-sftp -d data -p put -P df,pwd,rm,mkdir,rmdir,get,rename,symlink

Tried a variety of combinations, but -P for denied_requests never blocks any of the specified remote commands. Applying allowed_requests with -p put or put,cd breaks the transfer and returns "Couldn't canonicalise: Permission denied Need cwd". Without -P or -p, there is no problem with the writes, and based on other postings for this error, I'm pretty sure my directory permissions are correct. I've been using this man page for a reference:
https://www.man7.org/linux/man-pages/man8/sftp-server.8.html

It implies that Subsystem rather than ForceCommand is the place for these options, but they don't work in the main body of sshd_config and restarting sshd throws an error if Subsystem is used in a Match clause instead of ForceCommand.

I really hope it's possible to get this working and any suggestions would be greatly appreciated.


The arguments to -p/-P are names of low-level SFTP protocol requests. Not the high-level OpenSSH sftp client commands.

These are the names: open, close, read, write, lstat, fstat, setstat, fsetstat, opendir, readdir, remove, mkdir, rmdir, realpath, stat, rename, readlink, symlink, posix-rename, statvfs, fstatvfs, hardlink, fsync, lsetstat.

You can get the up to date list by running sftp-server -Q requests, as sftp-server man page says.


Given that the question has already been answered, I'll just mention an issue which originally led me here:

Even though the internal-sftp ... expression looks like a normal command, double quotes do not appear to be handled as usual. This won't work for mkdir and symlink:

ForceCommand internal-sftp -l INFO -P "mkdir,rmdir,ln,symlink"

This will:

ForceCommand internal-sftp -l INFO -P mkdir,rmdir,ln,symlink

Related

Locked out of Amzon EC2 Ubuntu instance
CentOS 7 custom service failure (Interactive authentication required)
SSH Sometimes works, sometime doesn't - local network
LDAP PAM client error "cannot find name for user ID"
How NLB will work with IIS-7 web services?
Windows Server 2012 Standard RDS Access Denied for Domain Users
Flink taskmanager on ECS cannot connect to jobmanager on EC2
Urls.py not updating on Django production server , which uses nginx and gunicorn
Postfix - outbound SMTP traffic going out wrong interface
Why browsers fetch images again after reloading my page?
Can RAM with a higher speed work?
Is It Possible to Spread Virus Through Online Embedded Video?