Is it possible to separate SSH and SFTP?
For example, have SFTP listening on port 22 and SSH on port 2222?
I have separated list of SFTP and SSH users, the goal is to allow SFTP users to connect on port 22, and make SSH listening on higher port such as 2222.
As both are essentially part of SSH I could not find a way to achieve this.
Thanks in advance!
The other questions are correct, but you can set up the single instance of openSSH to listen on both ports and handle SFTP connection on one and SSH connections on the other:
Port 22
Port 2222
Subsystem sftp internal-sftp
Match LocalPort 22
ChrootDirectory /sftp/root/dir
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
Adding a second instance running on a separate port definitely works, but then you have to deal with telling users to use another port - which they won't. You can also use match user
and match group
lines to force users and or groups to be sftp-only.
In sshd-config
, you can do something like
Subsystem sftp internal-sftp
...
Match Group sftponly
ChrootDirectory /sftp/root/dir
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
See also Linux shell to restrict sftp users to their home directories?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With