David Shlemayev
2020-Feb-22 17:40 UTC
Adding a chroot-directory option per key in authorized_keys file
I'm trying to create a temporary sftp "inbox", so users can share files more easily. To do that I want the sender to generate a temporary key pair, send me the public key securely (perhaps over TLS or a trusted third party), then I can add a line in authorized_keys like this: restrict,command="internal-sftp",chroot-directory="/run/ssh-inbox/1000/05b475...a592b2" ssh-rsa AAAAB3NzaC...kIQX3jyJ2oM Which allows only sftp access to the following key, chrooted to the given directory (which is owned by root, created by a daemon/suid binary/etc), which is /run/ssh-inbox/<UID>/<SHA256(pubkey)>/ My patch verifies that the key has restrict and command="internal-sftp" set before accepting the key. I tried to stick to the surrounding code style as much as I could, let me know if i need to fix anything. Thanks, - David -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-chroot_dir-authorized_keys.patch Type: text/x-patch Size: 7119 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200222/4dd9e74b/attachment-0001.bin>