Logging in with a specific private key - conflicts with ssh-agent
ssh allows a specific private key to be used for a login - useful if you have a private key stored in a non-default location or if you have a server which is configured to reject you after a number of failures (because ssh will otherwise step through all of the keys in ~/.ssh/ until one works):
$ ssh -i /some/path/to/special.key special.example.org
However there is a gotcha - which is that if you are running a key agent (eg. Ssh-agent) it might ignore your -i (certainly the openssh ssh-agent does this).
You can see this happening by using the -v verbose option when logging in - you will see a number of keys that you did not specifiy being used.
A work-around I have found is to disable the ssh agent - this can be done by clearing the SSH_AUTH_SOCK environment variable - so for example in bash:
alias sshspecial="SSH_AUTH_SOCK='' ssh -i /some/path/to/special.key special.example.org"
Configuring chroot'd SFTP-only access
To allow a user to log in only using sftp, and to also restrict that user to a chroot'd directory use ChrootDirectory and ForceCommand directives. Note that openssh has directory ownership and permissions restrictions for ChrootDirectory and in order to use sftp without having to set up files in the chroot jail to run the sftp server the internal-sftp "command"/"subsystem" needs to be used.
Set up the chroot base directory and set permissions
# mkdir /home/sftpjail # chown root:root /home/sftpjail # chmod 755 /home/sftpjail
Configure sshd with sftp restricted access
For this example - users in group sftpuser will be restricted to sftp access and jailed using chroot. Note that the global configuration of the sftp subsystem needs to be "internal-sftp". By default this is often "/usr/lib/openssh/sftp-server" instead.
In /etc/ssh/sshd_config (or wherever your config file is):
# Needed to allow ChrootDirectory sftp (below) Subsystem sftp internal-sftp # Restrict users in group "sftpuser" to be just sftp (also block forwarding of ports/X11) Match Gorup=sftpuser ChrootDirectory = /home/sftpjail ForceCommand = internal-sftp X11Forwarding no AllowTCPForwarding no
And restart sshd.
However you usually create a user. In this case the configuration will be for users in the group sftpuser to be restricted, so make sure the user is in that group.
Set up director(y|ies) for user(s)
# mkdir /home/sftpjail/usera # chown usera:usera /home/sftpjail/usera # chmod 700 /home/sftpjail/usera