Home / ubuntu / Questions / 1222804
In Process
Hans van Leeuween
Asked: 2020-04-01 02:31:30 +0800 CST

How to configure a sshd_config that allow SFTP but not SSH (to start a bash)?

  • 772

A Ubuntu 16 server is used as an SFTP-server. This server is located in an DMZ VLAN.

This server must be configured so that:

  • From the external internet only SFTP can be used to login but ssh cannot be used (to start a bash).

  • From the internal network, it must be possible to log in with both SFTP and SSH (to start a bash).

Two sshd can be started for this, each with its own sshd_config file and own port number.

How can a sshd_config be configured in such a way that it is possible to login with SFTP but not with ssh (to start a bash)?

ssh

1 Answers

  1. Note: I am unable to fully test this at the moment - posted in the hope that it will be useful

    This should be possible with a single sshd instance, by using a Match block at the bottom of the server's sshd_config file.

    Match Address *,!192.168.1.0/24
        ForceCommand internal-sftp

    Replace 192.168.1.0/24 with your own LAN CIDR address range.

    See also How can the Address condition in a Match conditional block in sshd_config be negated?

    • 1