Description:
[Link1] [Different between internal-sftp and /usr/libexec/openssh/sftp-server]
Before start, do some ssh server setup first.
Better option on below page( Secure ssh configuration ) or follow configuration on [Ref on Link1]
Add SFTP group
#add user group
sudo groupadd sftp_group
#add user without shell login availability
#Below command will generate home directory
sudo useradd {sftp_user} -g sftp_group -s /sbin/nologin
Create
#when using chroot command, owner must be root
#and the {sftp_user} should be able to access the directory
chown -R root:sftp_group /home/{sftp_user}
chmod -R 555 /home/{sftp_user}
cd /home/{sftp_user}
mkdir .ssh
...
# Add authorized_keys for public key authen
...
Edit sshd_config
sudo vim /etc/ssh/sshd_config
# -------------------------
#Change Subsystem sftp to internal-sftp
"
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
"
#Add below config
"
Match Group sftp_group
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
#Normally default AuthenticationMethods will 2FAed with GA
#So sftp should be rewrited to be only need publickey
AuthenticationMethods publickey
"
Restart sshd
sudo systemctl restart sshd
If the ssh using key and pam,
please
add key pair Use public/private key for authentication
modify /etc/ssh/sshd_config to override the match group
#add User *, !{specific user} if want to escape specific user
Match Group sftp_group User *, !{specific user}
AuthenticationMethods publickey <=== add this line
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no