2

I've set up an OpenSSH SFTP connection with the help of documentation and WinSCP and want a colleague to be able to upload files to my computer using this SFTP connection.

  • I've created a new local user on my machine and when I test the connection, I'm able to view all folders, root directory, etc., but am unable to access any other folders except the one which I created (which is good), however I need to limit the permissions so the new user can only view the folder they're to upload the file to.
  • I've checked the permissions on via Properties > Permissions > Security to see the users/groups that have access and have removed the new user from the users group
  • The new user doesn't appear to have access to any folder, but when I connect using [WinSCP] SFTP, I'm still able to see all folders; however, when I click a folder, I don't have access to it and receive an error.

How can I restrict the new user to only have access to view a single folder, as well as force the SFTP connection to open to that folder upon connecting?

Improve this question
4
  • This will need to be double-checked, but the easiest way would be to (1) Create a Windows user with no user-profile via net user add; (2) Create a non-default group for that specific user; (3) Ensure the new user is removed from all other groups; (4) Add that user to the ACL for the folder you want the user to access, providing the user only Files Only access (it may need to This Folder and Files) with Write Only privs. Also see icacls /?
    – JW0914
    Commented Aug 26, 2020 at 12:44
  • @JW0914 not sure what you mean by "create a non default group"? I've done all the other steps but the same problem still remains, the user has view access on all folders.
    – Anton
    Commented Aug 27, 2020 at 6:18
  • Create a new group that doesn't exist by default, adding the new user to it (this isn't required, but I find it helpful when adding users without a user profile). Does net user <username> return any Group memberships? You may have to explicitly Deny the new user access to C:, selecting This folder, subfolders, and files. I've never done so before, so you may have to play with this a little to find the right combination, as doing so to C: may block that user's access to the folder you want access to; if so, you may need to use the Advanced Permissions section if using the GUI.
    – JW0914
    Commented Aug 27, 2020 at 10:52
  • 2
    Does this answer your question? How do I restrict users to sftp in OpenSSH on Windows Server?
    – Martin Prikryl
    Commented Aug 28, 2020 at 15:32

1 Answer 1

Reset to default
0

below should help

> Match User User1 ChrootDirectory E:\user1folder Match Group
> administrators AuthorizedKeysFile
> __PROGRAMDATA__/ssh/administrators_authorized_keys X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp Match User
> Administrator X11Forwarding no AllowTcpForwarding no ForceCommand
> internal-sftp
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .