Bonjour,
La proposition de Bruno fonctionne sauf qu'il faut utiliser
Group et non group dans l'instruction Match et bien évidemment rattacher les utilisateurs sftp au groupe sftpusers.
man sshd_config a écritMatch Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines
override those set in the global section of the config file, until either another Match line or the end of the file. If a
keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.
The arguments to Match are one or more criteria-pattern pairs or the single token All which matches all criteria. The avail‐
able criteria are User, Group, Host, LocalAddress, LocalPort, and Address. The match patterns may consist of single entries
or comma-separated lists and may use the wildcard and negation operators described in the PATTERNS section of ssh_config(5).
The patterns in an Address criteria may additionally contain addresses to match in CIDR address/masklen format, such as
192.0.2.0/24 or 2001:db8::/32. Note that the mask length provided must be consistent with the address - it is an error to
specify a mask length that is too long for the address or one with bits set in this host portion of the address. For exam‐
ple, 192.0.2.0/33 and 192.0.2.0/8, respectively.
Only a subset of keywords may be used on the lines following a Match keyword. Available keywords are AcceptEnv,
AllowAgentForwarding, AllowGroups, AllowStreamLocalForwarding, AllowTcpForwarding, AllowUsers, AuthenticationMethods,
AuthorizedKeysCommand, AuthorizedKeysCommandUser, AuthorizedKeysFile, AuthorizedPrincipalsCommand,
AuthorizedPrincipalsCommandUser, AuthorizedPrincipalsFile, Banner, ChrootDirectory, ClientAliveCountMax, ClientAliveInterval,
DenyGroups, DenyUsers, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedKeyTypes, HostbasedAuthentication,
HostbasedUsesNameFromPacketOnly, IPQoS, KbdInteractiveAuthentication, KerberosAuthentication, MaxAuthTries, MaxSessions,
PasswordAuthentication, PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY, PermitTunnel, PermitUserRC,
PubkeyAcceptedKeyTypes, PubkeyAuthentication, RekeyLimit, RevokedKeys, StreamLocalBindMask, StreamLocalBindUnlink,
TrustedUserCAKeys, X11DisplayOffset, X11Forwarding and X11UseLocalHost.
Tu peux également restreindre cette règle d'identification par mot de passe à un unique utilisateur avec:
Match User toto
PasswordAuthentication yes
ou plusieurs utilisateurs
Match User toto,tata,titi
PasswordAuthentication yes
Utiliser des «patterns» etcetera comme indiqué dans la page man de ssh_config:
PATTERNS
A pattern consists of zero or more non-whitespace characters, ‘*’ (a wildcard that matches zero or more characters), or ‘?’ (a wild‐
card that matches exactly one character). For example, to specify a set of declarations for any host in the ".co.uk" set of domains,
the following pattern could be used:
Host *.co.uk
The following pattern would match any host in the 192.168.0.[0-9] network range:
Host 192.168.0.?
A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be negated by preceding them with an excla‐
mation mark (‘!’). For example, to allow a key to be used from anywhere within an organization except from the "dialup" pool, the
following entry (in authorized_keys) could be used:
from="!*.dialup.example.com,*.example.com"
Les possibilités de paramétrages sont larges.
