DI Roman Fiedler wrote:> I'm searching for a simple solution to allow access to only one
> directory of an existing user (that may not login) via sftp-server and
> authorized_keys file using the extended syntax
>
> command="/usr/lib/openssh/sftp-server --root
>
/data/exchange",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty
> ssh-rsa AAA...keydata
>
> Is something like that already possible, is there a better solution?
I wrote a patch which could facilitate this. It allows requests (as
defined in RFC 4254) to be controlled using a configuration like the
following:
Match Group restricted
GlobalReqDeny tcpip-forward
GlobalReqDeny direct-tcpip
ChannelDeny x11
ChannelReqDeny shell
ChannelReqDeny exec
ChannelReqDeny x11-req
ChannelReqDeny pty-req
ChannelReqDeny env
Subsystem sftp /usr/lib/openssh/sftp-server --chroot
The above would effectively only allow "session" channels to be opened
and only "subsystem" requests to be made for any user in the
"restricted" group. So X11 requests of any kind, port forwarding and
shell/exec requests would be disabled. There are loads of chroot patches
around which you could use, but mine jails to the user's home directory.
The patch was meant as a proof of concept, which I'd tidy up if there
was any interest. There wasn't any and it does everything I personally
need, so has been stagnant for a while. Let me know if you want to take
a look at it... I've even got a modified Ubuntu package.
Jon