Home / server / Questions / 1166735
Accepted
ell3zamb
Asked: 2024-10-18 01:37:51 +0800 CST

SSH Server error 1067 on Win Server 2019 when using internal-sftp subsystem to allow SFTP but disallow SSH

  • 772

I've been using the internal-sftp subsystem approach since 2021 without problem to allow SFTP but disallow SSH.

My ssh_config file code is:

ForceCommand internal-sftp
Subsystem  sftp   sftp-server.exe -d \%
ChrootDirectory \%

PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
AllowUsers sftpuser

As others, over the weekend following October 2024 Windows updates, I can't connect to the server via SSH.

On the server, the OpenSSH SSH server won't start and I get a 1067 error.

As recommended, when I delete the \ssh folder, the service can now be restarted successfully but the new ssh folder automatically created has the default ssh_config file code:

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

When I replace this code with the internal-sftp code above I again get a 1067 error.

Wondering what makes this code incompatible with the new updates.

ssh

1 Answers

  1. Best Answer

    I had the same issue with a similar setup. I ran sshd -D -ddd and saw an error that was encountered on Subsystem line in the config file. I had a full path to a folder and it was in quotes. It did not like the quotes for some reason and started right up.

    To make sure you have all the info of things I tried beforehand:

    Hopefully this helps you or at least gives you more info to put you in the right direction!

    • 0