openssh bugs - Mar 2020 - [Bug 3131] New: [PATCH] Adding a chroot-directory option per key in authorized_keys file

https://bugzilla.mindrot.org/show_bug.cgi?id=3131

            Bug ID: 3131
           Summary: [PATCH] Adding a chroot-directory option per key in
                    authorized_keys file
           Product: Portable OpenSSH
           Version: 8.2p1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: davidshlemayev at gmail.com

Created attachment 3361
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3361&action=edit
Patch file to add a per-key chroot-directory option

I'm trying to create a temporary sftp "inbox", so users can share
files more easily.
To do that I want the sender to generate a temporary key pair, send me
the public key securely (perhaps over TLS or a trusted third party),
then I can add a line in authorized_keys like this:

restrict,command="internal-sftp",chroot-directory="/run/ssh-inbox/1000/05b475...a592b2"
ssh-rsa AAAAB3NzaC...kIQX3jyJ2oM
Which allows only sftp access to the following key, chrooted to the
given directory (which is owned by root, created by a daemon/suid
binary/etc), which is /run/ssh-inbox/<UID>/<SHA256(pubkey)>/
My patch verifies that the key has restrict and
command="internal-sftp" set before accepting the key.

I tried to stick to the surrounding code style as much as I could, let
me know if i need to fix anything.

Thanks,
- David

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3131

David Shlemayev <davidshlemayev at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |davidshlemayev at gmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3131

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
AFAIK it's a bad idea to give the chroot ability to non-privileged
users - there are a number of plausible paths to uid=0 if you can
effectively write to / and /etc. This is why the chroot(1) syscall
requires root privileges to begin with.

I appreciate your precaution of requiring force-command and
sftp-server, but I'm not sure whether your need would be better served
by putting a fake-chroot ability into sftp-server directly.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3131

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.