I can SSH and run commands as the system administrator. I also have set up some users to do "jailed" SFTP.
How can I change the following sshd_config file to allow TestUser2 to do both jailed SFTP (limited to his directory) but also run commands from a remote terminal. For example, in WinSCP, you can press CNTL-P to get the command line window.
Subsystem sftp /usr/lib/openssh/sftp-server
#SFTP ONLY
Match User TestUser1
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
PermitTTY no
PasswordAuthentication no
PubkeyAuthentication yes
ForceCommand internal-sftp
#SFTP Plus Command Line
Match User TestUser2
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
PermitTTY yes
PasswordAuthentication no
PubkeyAuthentication yes
ForceCommand internal-sftp
I'm running Ubuntu 20.04, but I think the question is generic.
Update: I'm pretty sure the "ForceCommand internal-sftp" is what allows the user to only do SFTP, and not to do any other shell commands. But I know my root user can do both SFTP and shell commands, so would like to know how to do that for user=TestUser2 above.
What you want to do is "drop root". I do not know whether SSH permits this action since SSH is global to all users. However you can try ACL to ban all other directories for this user.