This is a discussion on Re: sftp-server only in subdir possible? - openssh ; DI Roman Fiedler wrote: > I'm searching for a simple solution to allow access to only one > directory of an existing user (that may not login) via sftp-server and > authorized_keys file using the extended syntax > > command="/usr/lib/openssh/sftp-server ...
DI Roman Fiedler wrote:
> I'm searching for a simple solution to allow access to only one
> directory of an existing user (that may not login) via sftp-server and
> authorized_keys file using the extended syntax
> command="/usr/lib/openssh/sftp-server --root
> ssh-rsa AAA...keydata
> Is something like that already possible, is there a better solution?
I wrote a patch which could facilitate this. It allows requests (as
defined in RFC 4254) to be controlled using a configuration like the
Match Group restricted
Subsystem sftp /usr/lib/openssh/sftp-server --chroot
The above would effectively only allow "session" channels to be opened
and only "subsystem" requests to be made for any user in the
"restricted" group. So X11 requests of any kind, port forwarding and
shell/exec requests would be disabled. There are loads of chroot patches
around which you could use, but mine jails to the user's home directory.
The patch was meant as a proof of concept, which I'd tidy up if there
was any interest. There wasn't any and it does everything I personally
need, so has been stagnant for a while. Let me know if you want to take
a look at it... I've even got a modified Ubuntu package.
openssh-unix-dev mailing list