Andreas Rottmann
2015-Jul-21 22:29 UTC
Feature request/RFC: sftp-chroot authorized_keys option
Hi! [ If this is the wrong mailing list for such requests, please apologize and direct me to the right one ] Since I have a particular use case for it[0], I wonder if it would be possible to implement a key based (i.e. configured via ~/.ssh/authorized_keys option) restriction to allow sftp access to a specific directory only. I'm aware that I can restrict a specific key to use sftp only using 'command="internal-sftp"', but I want to impose an additional restriction to a specific directory, e.g. by adding 'sftp-chroot="/some/directory"'. This is already possible on a per-user basis in sshd_config using ChrootDirectory, but my question is: - Would it be possible to implement this feature on a per-key basis within the current architecture of OpenSSH (i.e. without major tweaks to the codebase)? - If so, is this a feature that would be considered worthwhile enough to be considered for inclusion, should someone step up and provide a reasonable implementation? If the answer is no to either of the above questions, I'd like to hear that reasoning of well, of course. If that feature is deemed both implementable (without affecting the OpenSSH architecture) and worthwhile, I might try my hand at it, although note that I'm both a newbie to the OpenSSH project's development, and would do this in my spare time, thus it'd probably take a while, and require (quite?) a bit of steering/review. If anyone has ideas (e.g. areas of code that would require changes) of how that feature can/should be implemented, or would like to implement it themselves, I'm all ears :-). [0] For the specific use case I mentioned: I'd like for my mobile device to have SFTP access, restricted to a specific directory on my server. It should have access using my regular account, such that access permissions between my regular shell account and the files created by the mobile device are compatible. Currently I solve this use case using a combination of access via WebDAV and POSIX ACLs, but I'd prefer an SSH-based solution for its stronger authentication/crypto, not requiring ACLs, and avoiding UIDs differing between files created by the WebDAV httpd and the shell account. Regards, Rotty -- Andreas Rottmann -- <http://rotty.xx.vu/>
Bostjan Skufca
2015-Jul-22 11:56 UTC
Feature request/RFC: sftp-chroot authorized_keys option
One alternative implementation might be to create additional user for mobile device, which: - shares UID/GID with your current/main user - has homedir is set somewhere inside main user's homedir - has shell set to /sbin/nologin (or similar) - is chrooted to his homedir via ssh The downside is that this mobile user might be able to manage own ssh keys, which might or might not be preferable in your case. That said, I find your suggestion quite intriguing, especially the bit that (implicitly) prohibits management of own authorized keys. b. On 22 July 2015 at 00:29, Andreas Rottmann <mail at rotty.xx.vu> wrote:> Hi! > > [ If this is the wrong mailing list for such requests, please apologize > and direct me to the right one ] > > Since I have a particular use case for it[0], I wonder if it would be > possible to implement a key based (i.e. configured via > ~/.ssh/authorized_keys option) restriction to allow sftp access to a > specific directory only. I'm aware that I can restrict a specific key to > use sftp only using 'command="internal-sftp"', but I want to impose an > additional restriction to a specific directory, e.g. by adding > 'sftp-chroot="/some/directory"'. This is already possible on a per-user > basis in sshd_config using ChrootDirectory, but my question is: > > - Would it be possible to implement this feature on a per-key basis > within the current architecture of OpenSSH (i.e. without major tweaks > to the codebase)? > - If so, is this a feature that would be considered worthwhile enough to > be considered for inclusion, should someone step up and provide a > reasonable implementation? > > If the answer is no to either of the above questions, I'd like to hear > that reasoning of well, of course. > > If that feature is deemed both implementable (without affecting the > OpenSSH architecture) and worthwhile, I might try my hand at it, > although note that I'm both a newbie to the OpenSSH project's > development, and would do this in my spare time, thus it'd probably take > a while, and require (quite?) a bit of steering/review. > > If anyone has ideas (e.g. areas of code that would require changes) of > how that feature can/should be implemented, or would like to implement > it themselves, I'm all ears :-). > > > [0] For the specific use case I mentioned: I'd like for my mobile device > to have SFTP access, restricted to a specific directory on my > server. It should have access using my regular account, such that > access permissions between my regular shell account and the files > created by the mobile device are compatible. > > Currently I solve this use case using a combination of access via > WebDAV and POSIX ACLs, but I'd prefer an SSH-based solution for its > stronger authentication/crypto, not requiring ACLs, and avoiding > UIDs differing between files created by the WebDAV httpd and the > shell account. > > Regards, Rotty > -- > Andreas Rottmann -- <http://rotty.xx.vu/> > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev