Skip to content
Fragmented Development

Keeping keys for SSH, and passwords for SFTP

My VPS has lots of different applications residing on it, and many people need to access it in various ways. Sometimes, tightening security for one group can negatively impact another.

One instance of this has been authentication with SSH. I prefer key-based authentication, for the added security and ease of use (once set up). However, this type of authentication doesn't work well for my SFTP users - they all have passwords, and generating and managing keys for them would be difficult at best.

OpenSSH *does * provide a neat trick for getting around this, through Match blocks. These blocks can specify a separate set of configurations for a subset of connections that "match" the criteria. You can match on an IP address, port, user... and a group!

I created a sftp group, and added all of my SFTP-only users into that group. I then tweaked my sshd configuration with the following changes:

PasswordAuthentication no
AllowGroups ssh sftp

Match Group sftp
    ForceCommand /usr/lib/openssh/sftp-server
    PasswordAuthentication yes
    [ other security hardening ]

This prevents ordinary SSH connections - users in the ssh group - from connecting with just a password, but allows it with SFTP users. It also allows me to restrict what is allowed for those users, because they obviously won't need things like X11/port forwarding.

It's not often I find this kind of nice, usable compromise where security is concerned - this was a very happy discovery!

Tags: networking server security


Glad to hear it! FTP definitely had its day, but SFTP seems to have completely replaced its uses in my life. It's always good to have your connections encrypted. :)

Windigo –

Thanks for this. The "Match Group" mention pushed me to finally decommission my old FTP server in favor of SFTP. 👍

chimo –

Add Your Comment