Windows 2025
Sponsored Link

OpenSSH : SFTP only + Chroot2024/11/27
 

Configure SFTP only + Chroot.
Some users who are applied this setting can access only with SFTP and also applied chroot directory.

[1] For example, Set each user's home [C:\Users\**] as the Chroot directory. 
PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator> New-LocalGroup -Name "sftp_users" -Description "sftp only users"

Name       Description
----       -----------
sftp_users sftp only users

PS C:\Users\Administrator> (Get-Content C:\ProgramData\ssh\sshd_config).Replace("Subsystem","#Subsystem") | Set-Content C:\ProgramData\ssh\sshd_config 
PS C:\Users\Administrator> $str_document = @'
Subsystem       sftp    internal-sftp
Match Group sftp_users
  AllowTcpForwarding no
  ChrootDirectory C:\Users\%u
  ForceCommand internal-sftp
'@ 

PS C:\Users\Administrator> $str_document | Add-Content C:\ProgramData\ssh\sshd_config 

PS C:\Users\Administrator> Restart-Service -Name "sshd" 

# for example, set [Serverworld] user as SFTP only user
PS C:\Users\Administrator> Add-LocalGroupMember -Group "sftp_users" -Member "Serverworld"
[2] Verify accesses with a user set SFTP only setting. 
PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Serverworld> ssh Serverworld@10.0.0.101 
Enter passphrase for key 'C:\Users\Serverworld/.ssh/id_ed25519':
This
service
allows
sftp
connections
only.
Connection to 10.0.0.101 closed.

PS C:\Users\Serverworld> sftp Serverworld@10.0.0.101 
Enter passphrase for key 'C:\Users\Serverworld/.ssh/id_ed25519':
Connected to 10.0.0.101.
sftp> pwd
Remote working directory: /
sftp> exit
Matched Content