So i know you can set the CHROOT in a system wide config file located in C:\ProgramData\ssh\sshd_config. Is it possible to set this for a specific user individually?
@Dragane . Which article are you referring?
Very likely that this is about one of the OpenSSH pages.
Would be nice to know which one, though.
@konstruktoid : Would you happen to know what the OP is asking for, or do you think their question belongs to one of the Microsoft forum pages?
ChrootDirectory (Support added in v7.7.0.0)
This directive is only supported with sftp sessions. A remote session into cmd.exe wouldn't honor this. To setup a sftp-only chroot server, set ForceCommand to internal-sftp. You may also set up scp with chroot, by implementing a custom shell that would only allow scp and sftp.
It's basically
sshd_config:
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
and a user added to the sftp will be chrooted, if home directory et al exists.
Thank you guys and sorry for not replying earlier.
So yes i was refering to the article that @konstruktoid mentioned. I also found instructions on:
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration#allowgroups-allowusers-denygroups-denyusers
Question for @konstruktoid:
So i create lets say that i create the Windows group called sftp. I want each windows user from this group to have it's own chroot directory. And that directory shouldn't be user home directory, but rather a folder on the C: drive. How would i do this? Because from your example i assume that each user would get their own home directory as a chroot direcotry (%h).
@Dragane, remove the %h token and add the folder path, e.g. ChrootDirectory C:\MyDataRoot.
https://github.com/PowerShell/Win32-OpenSSH/issues/190#issuecomment-662879084 and https://github.com/PowerShell/openssh-portable/pull/308#issuecomment-391884272 might be helpful as well.
Ok so i set the following in my C:\ProgramData\sshsshd_config
ForceCommand internal-sftp
Match User init
ChrootDirectory C:\sftp_repo
This makes the windows user called init to have the access to C:\sftp_repo.
Now can you tell me what line to add, to make a user called lets say "dev" to have the access to some other folder, lets say C:\devrepo\?
Shall i edit maybe some other file than C:\ProgramData\sshsshd_config?
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration#match can surely be expanded, but it's documented in the sshd_config manual, e.g https://manpages.ubuntu.com/manpages/focal/en/man5/sshd_config.5.html:
Match Introduces a conditional block. If all of the criteria on the Match line are
satisfied, the keywords on the following lines override those set in the global
section of the config file, until either another Match line or the end of the file.
If a keyword appears in multiple Match blocks that are satisfied, only the first
instance of the keyword is applied.
Example:
Match User init
ChrootDirectory C:\sftp_repo
AllowTcpForwarding no
Match User dev
ChrootDirectory C:\devrepo
AllowTcpForwarding no
Thank you very much for your help @konstruktoid. This solved my issue!
@Dragane : Do you find that the information provided is needed in the documentation, or do you see it as an off-hand, random issue?
If your issue/case is common and the information is needed by others, we may want to reopen this ticket.
I just used the example that Thomas provided and it was exactly what I was
looking for.
I didn't even have to read the documentation provided.
On Thu, Sep 10, 2020, 18:20 Trond B. Krokli notifications@github.com
wrote:
@Dragane https://github.com/Dragane : Do you find that the information
provided is needed in the documentation, or do you see it as an off-hand,
random issue?
If your issue/case is common and the information is needed by others, we
may want to reopen this ticket.—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/windowsserverdocs/issues/4766#issuecomment-690436318,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ALJSDA5N62B3N3RBWOU7AUTSFD4EFANCNFSM4QQSVWQQ
.
OK. Fair enough. No documentation involved, I see.
Most helpful comment
Thank you very much for your help @konstruktoid. This solved my issue!