TrustedUserCAKeys /etc/ssh/user_ca_key.pub Match User {{ backup_share_user }} AuthorizedPrincipalsFile /etc/ssh/backup_principals ChrootDirectory /kvm/data ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no Match User {{ backup_control_user }} AuthorizedPrincipalsFile /etc/ssh/backup_principals ForceCommand /home/{{ backup_control_user }}/control.sh AllowTcpForwarding no X11Forwarding no