sftp-server only in subdir possible?
Jonathan Miles
jon at cybus.co.uk
Thu Sep 13 00:31:39 EST 2007
DI Roman Fiedler wrote:
> I'm searching for a simple solution to allow access to only one
> directory of an existing user (that may not login) via sftp-server and
> authorized_keys file using the extended syntax
>
> command="/usr/lib/openssh/sftp-server --root
> /data/exchange",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty
> ssh-rsa AAA...keydata
>
> Is something like that already possible, is there a better solution?
I wrote a patch which could facilitate this. It allows requests (as
defined in RFC 4254) to be controlled using a configuration like the
following:
Match Group restricted
GlobalReqDeny tcpip-forward
GlobalReqDeny direct-tcpip
ChannelDeny x11
ChannelReqDeny shell
ChannelReqDeny exec
ChannelReqDeny x11-req
ChannelReqDeny pty-req
ChannelReqDeny env
Subsystem sftp /usr/lib/openssh/sftp-server --chroot
The above would effectively only allow "session" channels to be opened
and only "subsystem" requests to be made for any user in the
"restricted" group. So X11 requests of any kind, port forwarding and
shell/exec requests would be disabled. There are loads of chroot patches
around which you could use, but mine jails to the user's home directory.
The patch was meant as a proof of concept, which I'd tidy up if there
was any interest. There wasn't any and it does everything I personally
need, so has been stagnant for a while. Let me know if you want to take
a look at it... I've even got a modified Ubuntu package.
Jon
More information about the openssh-unix-dev
mailing list