How do I restrict users to sftp in OpenSSH on Windows Server?
I am working with OpenSSH downloaded from https://github.com/PowerShell/Win32-OpenSSH/releases.
My goal here is to setup an ssh server that allows sftp files transfer without ssh access. According to the official documentation provided by OpenSSH, this should be supported on Windows since version 7.7. was released and the restriction should be set up in sshd_config and I tried to play with this file for a while, but I wasn't able to restrict myself to be able to only access the subfolders, this is what I have in my config file added:
Subsystem sftp sftp-server.exe
ForceCommand internal-sftp
ChrootDirectory c:\users\myusername
AllowTcpForwarding no
PermitTunnel no
GatewayPorts no
Can anyone tell me why this is not working? Or I cannot setup SFTP access only like this?
Another option would be to disable SSH connection. How do I achieve that with OpenSSh in Windows?
Solution 1:
From Mika-n on the PowerShell-OpenSSH GitHub:
This works with OpenSSH-Win64 8.1.x version, but you need to set following sshd_config options (by default in
%PROGRAMDATA%\SSH\folder location in Windows platform):ForceCommand internal-sftp Subsystem sftp sftp-server.exe -d "D:\MyDataRoot\" ChrootDirectory D:\MyDataRoot PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no AllowUsers sftpuser
So consider adding the subsystem line with -d to set the folder, or add -d to your ForceCommand entry.
Please note that you should also make sure the users have the correct filesystem permissions to keep them contained in a folder as well.