Using SFTP with SSH ForceCommand directive
I have set up an SSH server (call it group2.fqdn
) with this ForceCommand
directive:
Match Group group1
ForceCommand ssh -t group1.fqdn
Match Group="*,!local,!group2,!root"
ForceCommand ssh -t group3.fqdn
This breaks sftp
for users not in group2
. How can I modify this so that sftp
works?
Thus: user1
of group1
does:
sftp group2.fqdn
and they (perhaps having to enter passwords twice) are then actually doing sftp
to group1.fqdn
. Can this be done?
Context:
In our lab, we have a few Ubuntu servers for each group, but only one is allowed external access, so all groups had to login to one group's server, and all but one then are forced to SSH into another server. We used to do this with a custom shell, but I'm trying to use available server options instead of hacks. The custom shell variant didn't allow SFTP, and this doesn't either, but I'd like to somehow get SFTP to work for all these servers.
Solution 1:
The trick to getting SFTP working is to pass on the SSH command received from the client as-is to the server. I discovered this while testing out what happens when you do scp
or sftp
for a question on Unix & Linux.
Now, my configuration looks like:
Match Group group1
ForceCommand /usr/local/bin/ssh_wrapper group1
Match Group="*,!local,!group2,!root"
ForceCommand /usr/local/bin/ssh_wrapper group3
Where /usr/local/bin/ssh_wrapper
is:
#! /bin/sh
/usr/bin/ssh -t -o StrictHostKeyChecking=no $USER@${1:-default}.fqdn $SSH_ORIGINAL_COMMAND
From a couple of quick tests, sftp
and scp
work fine with this configuration.