A debugging story from the backup pipeline I posted about last week. 🐛
While locking down that restricted SFTP user, I hit a wall. Key permissions correct. authorizedkeys correct. sshdconfig looked right. Authentication kept failing silently.
The culprit: AllowUsers in sshd_config.
That directive filters connections before key evaluation. My restricted service account wasn't in the list, so SSH never got around to checking the key. From the client side it looked like a key problem. From the server side, the connection was being rejected several steps earlier in the pipeline.
🔧 The fix was a one-liner. But the lesson stuck.
📚 SSH config is sequential. A gate failing earlier makes everything downstream invisible. Reading the man page properly, instead of pattern-matching against Stack Overflow, saves an embarrassing amount of time.
A related lesson from the same project: RESTICSFTPCOMMAND is unreliable in practice. The SSH config alias pattern reads cleaner in scripts and just works.
The unglamorous parts of Linux are where the real learning happens.