This is a static archival copy of my old wiki.

My current blog is here: https://blog.bjdean.id.au/

• openssh

OpenSSH

Logging in with a specific private key - conflicts with ssh-agent

ssh allows a specific private key to be used for a login - useful if you have a private key stored in a non-default location or if you have a server which is configured to reject you after a number of failures (because ssh will otherwise step through all of the keys in ~/.ssh/ until one works):

$ ssh -i /some/path/to/special.key special.example.org

However there is a gotcha - which is that if you are running a key agent (eg. Ssh-agent) it might ignore your -i (certainly the openssh ssh-agent does this).

You can see this happening by using the -v verbose option when logging in - you will see a number of keys that you did not specifiy being used.

A work-around I have found is to disable the ssh agent - this can be done by clearing the SSH_AUTH_SOCK environment variable - so for example in bash:

alias sshspecial="SSH_AUTH_SOCK='' ssh -i /some/path/to/special.key special.example.org"

Configuring chroot'd SFTP-only access

To allow a user to log in only using sftp, and to also restrict that user to a chroot'd directory use ChrootDirectory and ForceCommand directives. Note that openssh has directory ownership and permissions restrictions for ChrootDirectory and in order to use sftp without having to set up files in the chroot jail to run the sftp server the internal-sftp "command"/"subsystem" needs to be used.

Set up the chroot base directory and set permissions

# mkdir /home/sftpjail
# chown root:root /home/sftpjail
# chmod 755 /home/sftpjail

Configure sshd with sftp restricted access

For this example - users in group sftpuser will be restricted to sftp access and jailed using chroot. Note that the global configuration of the sftp subsystem needs to be "internal-sftp". By default this is often "/usr/lib/openssh/sftp-server" instead.

In /etc/ssh/sshd_config (or wherever your config file is):

# Needed to allow ChrootDirectory sftp (below)
Subsystem sftp internal-sftp

# Restrict users in group "sftpuser" to be just sftp (also block forwarding of ports/X11)
Match Gorup=sftpuser
  ChrootDirectory = /home/sftpjail
  ForceCommand = internal-sftp
  X11Forwarding no
  AllowTCPForwarding no

And restart sshd.

Add usera

However you usually create a user. In this case the configuration will be for users in the group sftpuser to be restricted, so make sure the user is in that group.

Set up director(y|ies) for user(s)

# mkdir /home/sftpjail/usera
# chown usera:usera /home/sftpjail/usera
# chmod 700 /home/sftpjail/usera