Adding a chroot-directory option per key in authorized_keys file

David Shlemayev davidshlemayev at gmail.com
Sun Feb 23 04:40:43 AEDT 2020


I'm trying to create a temporary sftp "inbox", so users can share
files more easily.
To do that I want the sender to generate a temporary key pair, send me
the public key securely (perhaps over TLS or a trusted third party),
then I can add a line in authorized_keys like this:

restrict,command="internal-sftp",chroot-directory="/run/ssh-inbox/1000/05b475...a592b2"
ssh-rsa AAAAB3NzaC...kIQX3jyJ2oM=

Which allows only sftp access to the following key, chrooted to the
given directory (which is owned by root, created by a daemon/suid
binary/etc), which is /run/ssh-inbox/<UID>/<SHA256(pubkey)>/
My patch verifies that the key has restrict and
command="internal-sftp" set before accepting the key.

I tried to stick to the surrounding code style as much as I could, let
me know if i need to fix anything.

Thanks,
- David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-chroot_dir-authorized_keys.patch
Type: text/x-patch
Size: 7119 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200222/4dd9e74b/attachment-0001.bin>


More information about the openssh-unix-dev mailing list