https://bugzilla.mindrot.org/show_bug.cgi?id=3131
Bug ID: 3131
Summary: [PATCH] Adding a chroot-directory option per key in
authorized_keys file
Product: Portable OpenSSH
Version: 8.2p1
Hardware: Other
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs@mindrot.org
Reporter: davidshlemayev@gmail.com
Created attachment 3361
--> https://bugzilla.mindrot.org/attachment.cgi?id=3361&action=edit
Patch file to add a per-key chroot-directory option
I'm trying to create a temporary sftp "inbox", so users can share
files more easily.
To do that I want the sender to generate a temporary key pair, send me
the public key securely (perhaps over TLS or a trusted third party),
then I can add a line in authorized_keys like this:
restrict,command="internal-sftp",chroot-directory="/run/ssh-inbox/1000/05b475...a592b2"
ssh-rsa AAAAB3NzaC...kIQX3jyJ2oM=
Which allows only sftp access to the following key, chrooted to the
given directory (which is owned by root, created by a daemon/suid
binary/etc), which is /run/ssh-inbox/<UID>/<SHA256(pubkey)>/
My patch verifies that the key has restrict and
command="internal-sftp" set before accepting the key.
I tried to stick to the surrounding code style as much as I could, let
me know if i need to fix anything.
Thanks,
- David
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Bug ID: 3131
Summary: [PATCH] Adding a chroot-directory option per key in
authorized_keys file
Product: Portable OpenSSH
Version: 8.2p1
Hardware: Other
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs@mindrot.org
Reporter: davidshlemayev@gmail.com
Created attachment 3361
--> https://bugzilla.mindrot.org/attachment.cgi?id=3361&action=edit
Patch file to add a per-key chroot-directory option
I'm trying to create a temporary sftp "inbox", so users can share
files more easily.
To do that I want the sender to generate a temporary key pair, send me
the public key securely (perhaps over TLS or a trusted third party),
then I can add a line in authorized_keys like this:
restrict,command="internal-sftp",chroot-directory="/run/ssh-inbox/1000/05b475...a592b2"
ssh-rsa AAAAB3NzaC...kIQX3jyJ2oM=
Which allows only sftp access to the following key, chrooted to the
given directory (which is owned by root, created by a daemon/suid
binary/etc), which is /run/ssh-inbox/<UID>/<SHA256(pubkey)>/
My patch verifies that the key has restrict and
command="internal-sftp" set before accepting the key.
I tried to stick to the surrounding code style as much as I could, let
me know if i need to fix anything.
Thanks,
- David
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs