diff --git a/jobs/jumpbox/templates/bin/pre-start b/jobs/jumpbox/templates/bin/pre-start
index 32114bc..9f1536e 100644
--- a/jobs/jumpbox/templates/bin/pre-start
+++ b/jobs/jumpbox/templates/bin/pre-start
@@ -3,8 +3,17 @@
 set -e
 
 # force ssh logins into the docker container unless the user is jumpbox or is coming from a bosh ssh session
-if ! grep -e 'ForceCommand' /etc/ssh/sshd_config -q; then
-    echo "Match User *,!jumpbox,!bosh_*" >> /etc/ssh/sshd_config
+if ! grep -e 'ForceCommand /var/vcap/jobs/jumpbox/bin/jumpbox' /etc/ssh/sshd_config -q; then
+    echo "Match User *,!jumpbox,!bosh_*,!*-scp" >> /etc/ssh/sshd_config
     echo "  ForceCommand /var/vcap/jobs/jumpbox/bin/jumpbox" >> /etc/ssh/sshd_config
     service ssh restart
 fi
+
+# force sftp logins for all *-scp users
+if ! grep -e 'ForceCommand internal-sftp' /etc/ssh/sshd_config -q; then
+    echo "Match User *-scp" >> /etc/ssh/sshd_config
+    echo "  X11Forwarding no" >> /etc/ssh/sshd_config
+    echo "  AllowTcpForwarding no" >> /etc/ssh/sshd_config
+    echo "  ForceCommand internal-sftp" >> /etc/ssh/sshd_config
+    service ssh restart
+fi