Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Separate SSH and SFTP [closed]

Tags:

linux

ssh

sftp

Is it possible to separate SSH and SFTP?

For example, have SFTP listening on port 22 and SSH on port 2222?

I have separated list of SFTP and SSH users, the goal is to allow SFTP users to connect on port 22, and make SSH listening on higher port such as 2222.

As both are essentially part of SSH I could not find a way to achieve this.

Thanks in advance!

like image 850
Igor Avatar asked May 09 '16 08:05

Igor


2 Answers

The other questions are correct, but you can set up the single instance of openSSH to listen on both ports and handle SFTP connection on one and SSH connections on the other:

Port 22
Port 2222
Subsystem sftp internal-sftp
Match LocalPort 22
    ChrootDirectory /sftp/root/dir
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp
like image 200
Jakuje Avatar answered Oct 24 '22 15:10

Jakuje


Adding a second instance running on a separate port definitely works, but then you have to deal with telling users to use another port - which they won't. You can also use match user and match group lines to force users and or groups to be sftp-only.

In sshd-config, you can do something like

Subsystem sftp internal-sftp
...
Match Group sftponly
        ChrootDirectory /sftp/root/dir
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

See also Linux shell to restrict sftp users to their home directories?

like image 33
Andrew Henle Avatar answered Oct 24 '22 16:10

Andrew Henle