openssh unix dev - Jul 2015 - Feature request/RFC: sftp-chroot authorized_keys option

Hi!

[ If this is the wrong mailing list for such requests, please apologize
  and direct me to the right one ]

Since I have a particular use case for it[0], I wonder if it would be
possible to implement a key based (i.e. configured via
~/.ssh/authorized_keys option) restriction to allow sftp access to a
specific directory only. I'm aware that I can restrict a specific key to
use sftp only using 'command="internal-sftp"', but I want to
impose an
additional restriction to a specific directory, e.g. by adding
'sftp-chroot="/some/directory"'. This is already possible on a
per-user
basis in sshd_config using ChrootDirectory, but my question is:

- Would it be possible to implement this feature on a per-key basis
  within the current architecture of OpenSSH (i.e. without major tweaks
  to the codebase)?
- If so, is this a feature that would be considered worthwhile enough to
  be considered for inclusion, should someone step up and provide a
  reasonable implementation?

If the answer is no to either of the above questions, I'd like to hear
that reasoning of well, of course.

If that feature is deemed both implementable (without affecting the
OpenSSH architecture) and worthwhile, I might try my hand at it,
although note that I'm both a newbie to the OpenSSH project's
development, and would do this in my spare time, thus it'd probably take
a while, and require (quite?) a bit of steering/review.

If anyone has ideas (e.g. areas of code that would require changes) of
how that feature can/should be implemented, or would like to implement
it themselves, I'm all ears :-).


[0] For the specific use case I mentioned: I'd like for my mobile device
    to have SFTP access, restricted to a specific directory on my
    server. It should have access using my regular account, such that
    access permissions between my regular shell account and the files
    created by the mobile device are compatible.

    Currently I solve this use case using a combination of access via
    WebDAV and POSIX ACLs, but I'd prefer an SSH-based solution for its
    stronger authentication/crypto, not requiring ACLs, and avoiding
    UIDs differing between files created by the WebDAV httpd and the
    shell account.

Regards, Rotty
-- 
Andreas Rottmann -- <http://rotty.xx.vu/>

One alternative implementation might be to create additional user for
mobile device, which:
- shares UID/GID with your current/main user
- has homedir is set somewhere inside main user's homedir
- has shell set to /sbin/nologin (or similar)
- is chrooted to his homedir via ssh

The downside is that this mobile user might be able to manage own ssh
keys, which might or might not be preferable in your case.

That said, I find your suggestion quite intriguing, especially the bit
that (implicitly) prohibits management of own authorized keys.

b.



On 22 July 2015 at 00:29, Andreas Rottmann <mail at rotty.xx.vu>
wrote:
> Hi!
>
> [ If this is the wrong mailing list for such requests, please apologize
>   and direct me to the right one ]
>
> Since I have a particular use case for it[0], I wonder if it would be
> possible to implement a key based (i.e. configured via
> ~/.ssh/authorized_keys option) restriction to allow sftp access to a
> specific directory only. I'm aware that I can restrict a specific key
to
> use sftp only using 'command="internal-sftp"', but I want
to impose an
> additional restriction to a specific directory, e.g. by adding
> 'sftp-chroot="/some/directory"'. This is already possible
on a per-user
> basis in sshd_config using ChrootDirectory, but my question is:
>
> - Would it be possible to implement this feature on a per-key basis
>   within the current architecture of OpenSSH (i.e. without major tweaks
>   to the codebase)?
> - If so, is this a feature that would be considered worthwhile enough to
>   be considered for inclusion, should someone step up and provide a
>   reasonable implementation?
>
> If the answer is no to either of the above questions, I'd like to hear
> that reasoning of well, of course.
>
> If that feature is deemed both implementable (without affecting the
> OpenSSH architecture) and worthwhile, I might try my hand at it,
> although note that I'm both a newbie to the OpenSSH project's
> development, and would do this in my spare time, thus it'd probably
take
> a while, and require (quite?) a bit of steering/review.
>
> If anyone has ideas (e.g. areas of code that would require changes) of
> how that feature can/should be implemented, or would like to implement
> it themselves, I'm all ears :-).
>
>
> [0] For the specific use case I mentioned: I'd like for my mobile
device
>     to have SFTP access, restricted to a specific directory on my
>     server. It should have access using my regular account, such that
>     access permissions between my regular shell account and the files
>     created by the mobile device are compatible.
>
>     Currently I solve this use case using a combination of access via
>     WebDAV and POSIX ACLs, but I'd prefer an SSH-based solution for its
>     stronger authentication/crypto, not requiring ACLs, and avoiding
>     UIDs differing between files created by the WebDAV httpd and the
>     shell account.
>
> Regards, Rotty
> --
> Andreas Rottmann -- <http://rotty.xx.vu/>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev