sftp-server only in subdir possible?

Jonathan Miles jon at cybus.co.uk
Thu Sep 13 00:31:39 EST 2007

DI Roman Fiedler wrote:
> I'm searching for a simple solution to allow access to only one 
> directory of an existing user (that may not login) via sftp-server and 
> authorized_keys file using the extended syntax
> command="/usr/lib/openssh/sftp-server --root 
> /data/exchange",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty 
> ssh-rsa AAA...keydata
> Is something like that already possible, is there a better solution?

I wrote a patch which could facilitate this. It allows requests (as 
defined in RFC 4254) to be controlled using a configuration like the 

Match Group restricted
   GlobalReqDeny tcpip-forward
   GlobalReqDeny direct-tcpip
   ChannelDeny x11
   ChannelReqDeny shell
   ChannelReqDeny exec
   ChannelReqDeny x11-req
   ChannelReqDeny pty-req
   ChannelReqDeny env
   Subsystem sftp /usr/lib/openssh/sftp-server --chroot

The above would effectively only allow "session" channels to be opened 
and only "subsystem" requests to be made for any user in the 
"restricted" group. So X11 requests of any kind, port forwarding and 
shell/exec requests would be disabled. There are loads of chroot patches 
around which you could use, but mine jails to the user's home directory.

The patch was meant as a proof of concept, which I'd tidy up if there 
was any interest. There wasn't any and it does everything I personally 
need, so has been stagnant for a while. Let me know if you want to take 
a look at it... I've even got a modified Ubuntu package.


More information about the openssh-unix-dev mailing list