IP restriction not working for SFTP user

General support questions
Post Reply
Posts: 1
Joined: 2020/01/08 14:01:08

IP restriction not working for SFTP user

Post by Atchaya » 2020/01/08 14:20:07

I am configuring the SFTP user with IP restriction in Centos 7. Below is my configuration in sshd_config file.

Subsystem sftp internal-sftp -l INFO
Match User ravi Address X.X.X.X/32
PasswordAuthentication yes
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

With the above configuration, jail and IP address restriction were not working as expected. After logging into SFTP account, it shown present working directory as /home/ravi instead of / and we were able to login from restricted IP address. Please refer the 'before_match_all.png' file for your reference.

To fix the jail issue, I have added "Match All" condition in the sshd_config file after that the jail has started work as expected (/). Please refer the 'after_match_all.png' file for your reference.

Can anyone tell me how to restrict the SFTP users on IP basis in Centos 7 ?
after_match_all.PNG (4.24 KiB) Viewed 97 times
before_match_all.PNG (4.7 KiB) Viewed 97 times

User avatar
Forum Moderator
Posts: 30331
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: IP restriction not working for SFTP user

Post by TrevorH » 2020/01/08 18:44:47

If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.
So if you attempt to login as user ravi from an ip address that is not X.X.X.X/32 then it will not match and will fall through and use the normal user requirements for others that are not ravi from X.X.X.X.
CentOS 6 died in November 2020 - migrate to a new version!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 7 - General Support”