Re: ChrootDirectory on a per key basis
Damien Miller wrote:[color=blue]
> No, letting users chroot to arbitrary directories introduces
> serious security problems. Think about hard-linking /bin/su into
> a chroot on the same filesystem where an attacker has filled in
> a friendly /etc/passwd.[/color]
OK, so adding chrootdir option to authorized keys is a bad idea.
Another way to achieve my objective, which is additional sftp file
access restrictions to connections authorized with certain keys, would
be to modify sftp-server to accept a directory parameter. The
authorized_keys could then have 'command="sftp-server -d
/home/user/stuff"' option to restrict access to /home/user/stuff.
Could this be made secure so that if an attacker has a copy of the
(passwordless) private key, he would not be able to access files outside
the given directory?
openssh-unix-dev mailing list