Adding a chroot-directory option per key in authorized_keys file

David Shlemayev davidshlemayev at
Sun Feb 23 04:40:43 AEDT 2020

I'm trying to create a temporary sftp "inbox", so users can share
files more easily.
To do that I want the sender to generate a temporary key pair, send me
the public key securely (perhaps over TLS or a trusted third party),
then I can add a line in authorized_keys like this:

ssh-rsa AAAAB3NzaC...kIQX3jyJ2oM=

Which allows only sftp access to the following key, chrooted to the
given directory (which is owned by root, created by a daemon/suid
binary/etc), which is /run/ssh-inbox/<UID>/<SHA256(pubkey)>/
My patch verifies that the key has restrict and
command="internal-sftp" set before accepting the key.

I tried to stick to the surrounding code style as much as I could, let
me know if i need to fix anything.

- David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-chroot_dir-authorized_keys.patch
Type: text/x-patch
Size: 7119 bytes
Desc: not available
URL: <>

More information about the openssh-unix-dev mailing list