Using SFTP with SSH ForceCommand directive

I have set up an SSH server (call it group2.fqdn) with this ForceCommand directive:

Match Group group1
       ForceCommand ssh -t group1.fqdn

Match Group="*,!local,!group2,!root"
       ForceCommand ssh -t group3.fqdn

This breaks sftp for users not in group2. How can I modify this so that sftp works?

Thus: user1 of group1 does:

sftp group2.fqdn

and they (perhaps having to enter passwords twice) are then actually doing sftp to group1.fqdn. Can this be done?


Context:
In our lab, we have a few Ubuntu servers for each group, but only one is allowed external access, so all groups had to login to one group's server, and all but one then are forced to SSH into another server. We used to do this with a custom shell, but I'm trying to use available server options instead of hacks. The custom shell variant didn't allow SFTP, and this doesn't either, but I'd like to somehow get SFTP to work for all these servers.


Solution 1:

The trick to getting SFTP working is to pass on the SSH command received from the client as-is to the server. I discovered this while testing out what happens when you do scp or sftp for a question on Unix & Linux.

Now, my configuration looks like:

Match Group group1
       ForceCommand /usr/local/bin/ssh_wrapper group1

Match Group="*,!local,!group2,!root"
       ForceCommand /usr/local/bin/ssh_wrapper group3

Where /usr/local/bin/ssh_wrapper is:

#! /bin/sh

/usr/bin/ssh -t -o StrictHostKeyChecking=no $USER@${1:-default}.fqdn $SSH_ORIGINAL_COMMAND

From a couple of quick tests, sftp and scp work fine with this configuration.