[Bug 3131] New: [PATCH] Adding a chroot-directory option per key in authorized_keys file

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Mar 6 22:13:47 AEDT 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3131

            Bug ID: 3131
           Summary: [PATCH] Adding a chroot-directory option per key in
                    authorized_keys file
           Product: Portable OpenSSH
           Version: 8.2p1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: davidshlemayev at gmail.com

Created attachment 3361
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3361&action=edit
Patch file to add a per-key chroot-directory option

I'm trying to create a temporary sftp "inbox", so users can share
files more easily.
To do that I want the sender to generate a temporary key pair, send me
the public key securely (perhaps over TLS or a trusted third party),
then I can add a line in authorized_keys like this:

restrict,command="internal-sftp",chroot-directory="/run/ssh-inbox/1000/05b475...a592b2"
ssh-rsa AAAAB3NzaC...kIQX3jyJ2oM=

Which allows only sftp access to the following key, chrooted to the
given directory (which is owned by root, created by a daemon/suid
binary/etc), which is /run/ssh-inbox/<UID>/<SHA256(pubkey)>/
My patch verifies that the key has restrict and
command="internal-sftp" set before accepting the key.

I tried to stick to the surrounding code style as much as I could, let
me know if i need to fix anything.

Thanks,
- David

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list