sshd not allowing a subgroup to authenticate according to it's authentication method

John Johnstone jjohnstone-freebsdquestions at
Wed Mar 25 17:43:36 UTC 2020

On 3/25/20 1:01 AM, David Mehler wrote:
> Hello,
> Thanks, actually it's not anyone in the sshusers group, that's working
> fine, and I am not in sftpusers. Other users are in that group and
> they're being prompted for public keys and rejected because they're
> trying to use passwords.
> Thanks.
> Dave.
> On 3/25/20, Jim Trigg <jtrigg at> wrote:
>> At a guess, you're also a member of sshusers. Try putting the sftpusers
>> stanza before the sshusers stanza.
>> Thanks,
>> Jim Trigg

I have a configuration for user accounts that are restricted to sftp 
only that is working.  Here is a diff of my sshd_config to the original 
12.0 one.

> diff /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
> 123,131d121
> < 
> < Match Group chrootgrp
> <        ChrootDirectory %h
> <        ForceCommand internal-sftp -d data -l INFO
> <        AllowAgentForwarding no
> <        AllowTcpForwarding no
> <        PermitTTY no
> <        PermitTunnel no
> <        X11Forwarding no

The only difference I see to what you have, is that mine doesn't have

PasswordAuthentication yes

A script is used to create new users that does:

pw useradd $username $uidflag -c "$ugecos" -G $groupname -s
/usr/sbin/nologin -e +$acctexp -w random

where groupname is chrootgrp.

Then it creates the home directory:

mkdir -p /home/$username/data
chown root:wheel /home/$username
chown $username:$username /home/$username/data

For syslog logging:

mkdir -p /home/$username/dev
chown root:wheel /home/$username/dev

With syslogd_flags in /etc/rc.conf getting:

-l /home/$username/dev/log

added to it.  Which only works for a small number of users because of 
the 19 additional syslogd sockets limit.

John J.

More information about the freebsd-questions mailing list