limit sftp access to specific folders when using a public/private key with openssh












0















Is it possible to limit what folders a user can sftp to when using public/private keys?



Say I have a server with user1 and their home folder is /home/user1. I already have it configured so user1 can SSH to the server using public/private keys. Right now they can also sftp to the server using the same public/private keys and this lets them see the same files/folders they could if they had SSHd.



I want to create a new set of public/private keys that would be used just for sftp but I want to make it so this set of keys only lets them view files/folders in /home/user1/data/.



I don't see a way to do this through authorized_keys so I am wondering if there is another way to do it?



Update



The reason I want to minimize risk when/if different devices are compromised. In other words, if one of my devices with a public/private key is compromised, the hacker will only be able to do what that one public/private key combination lets them.



For example:




  • I have a server at home running Linux with OpenSSH server running on it

  • I have a few desktops at home that use public/private keys to access the server

  • I have a laptop that will run a SFTP based sync client to sync the laptop's C:UsersmeDocuments with the server's /home/me/docs/laptop/


For that last bullet, I want to secure it such that if my laptop is compromised th bad actor won't be able to use the public/private keys to gain access to other parts of my server.



My sync client will use automation so I can't use passwords. Using public/private keys will work great because any decent SFTP client can use SSH public/private keys. But, even if my sync client is only configured to access /home/me/docs/laptop/, the key will on the laptop so if a bad actor gets access to the laptop they could use the key to ssh to the box and gain access to other folders.



I looked into chrooting but it seems to work based on the login ID and not the public/private key being used. I don't want to create new login IDs because the files/folders in /home/me will all be owned by the account me and I don't want to muck around with granting other accounts access to different folders like /home/me/docs/laptop/. Plus with chroot the main folder has to be owned by root which won't work for my use-case.










share|improve this question

























  • can you assign groups to the user and folders?

    – JacobIRR
    Dec 21 '18 at 21:43











  • no. this is user1's home folder so only user1 has access.

    – IMTheNachoMan
    Dec 21 '18 at 21:45











  • I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.

    – Appleoddity
    Dec 22 '18 at 5:32











  • @Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.

    – IMTheNachoMan
    Dec 22 '18 at 6:13
















0















Is it possible to limit what folders a user can sftp to when using public/private keys?



Say I have a server with user1 and their home folder is /home/user1. I already have it configured so user1 can SSH to the server using public/private keys. Right now they can also sftp to the server using the same public/private keys and this lets them see the same files/folders they could if they had SSHd.



I want to create a new set of public/private keys that would be used just for sftp but I want to make it so this set of keys only lets them view files/folders in /home/user1/data/.



I don't see a way to do this through authorized_keys so I am wondering if there is another way to do it?



Update



The reason I want to minimize risk when/if different devices are compromised. In other words, if one of my devices with a public/private key is compromised, the hacker will only be able to do what that one public/private key combination lets them.



For example:




  • I have a server at home running Linux with OpenSSH server running on it

  • I have a few desktops at home that use public/private keys to access the server

  • I have a laptop that will run a SFTP based sync client to sync the laptop's C:UsersmeDocuments with the server's /home/me/docs/laptop/


For that last bullet, I want to secure it such that if my laptop is compromised th bad actor won't be able to use the public/private keys to gain access to other parts of my server.



My sync client will use automation so I can't use passwords. Using public/private keys will work great because any decent SFTP client can use SSH public/private keys. But, even if my sync client is only configured to access /home/me/docs/laptop/, the key will on the laptop so if a bad actor gets access to the laptop they could use the key to ssh to the box and gain access to other folders.



I looked into chrooting but it seems to work based on the login ID and not the public/private key being used. I don't want to create new login IDs because the files/folders in /home/me will all be owned by the account me and I don't want to muck around with granting other accounts access to different folders like /home/me/docs/laptop/. Plus with chroot the main folder has to be owned by root which won't work for my use-case.










share|improve this question

























  • can you assign groups to the user and folders?

    – JacobIRR
    Dec 21 '18 at 21:43











  • no. this is user1's home folder so only user1 has access.

    – IMTheNachoMan
    Dec 21 '18 at 21:45











  • I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.

    – Appleoddity
    Dec 22 '18 at 5:32











  • @Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.

    – IMTheNachoMan
    Dec 22 '18 at 6:13














0












0








0








Is it possible to limit what folders a user can sftp to when using public/private keys?



Say I have a server with user1 and their home folder is /home/user1. I already have it configured so user1 can SSH to the server using public/private keys. Right now they can also sftp to the server using the same public/private keys and this lets them see the same files/folders they could if they had SSHd.



I want to create a new set of public/private keys that would be used just for sftp but I want to make it so this set of keys only lets them view files/folders in /home/user1/data/.



I don't see a way to do this through authorized_keys so I am wondering if there is another way to do it?



Update



The reason I want to minimize risk when/if different devices are compromised. In other words, if one of my devices with a public/private key is compromised, the hacker will only be able to do what that one public/private key combination lets them.



For example:




  • I have a server at home running Linux with OpenSSH server running on it

  • I have a few desktops at home that use public/private keys to access the server

  • I have a laptop that will run a SFTP based sync client to sync the laptop's C:UsersmeDocuments with the server's /home/me/docs/laptop/


For that last bullet, I want to secure it such that if my laptop is compromised th bad actor won't be able to use the public/private keys to gain access to other parts of my server.



My sync client will use automation so I can't use passwords. Using public/private keys will work great because any decent SFTP client can use SSH public/private keys. But, even if my sync client is only configured to access /home/me/docs/laptop/, the key will on the laptop so if a bad actor gets access to the laptop they could use the key to ssh to the box and gain access to other folders.



I looked into chrooting but it seems to work based on the login ID and not the public/private key being used. I don't want to create new login IDs because the files/folders in /home/me will all be owned by the account me and I don't want to muck around with granting other accounts access to different folders like /home/me/docs/laptop/. Plus with chroot the main folder has to be owned by root which won't work for my use-case.










share|improve this question
















Is it possible to limit what folders a user can sftp to when using public/private keys?



Say I have a server with user1 and their home folder is /home/user1. I already have it configured so user1 can SSH to the server using public/private keys. Right now they can also sftp to the server using the same public/private keys and this lets them see the same files/folders they could if they had SSHd.



I want to create a new set of public/private keys that would be used just for sftp but I want to make it so this set of keys only lets them view files/folders in /home/user1/data/.



I don't see a way to do this through authorized_keys so I am wondering if there is another way to do it?



Update



The reason I want to minimize risk when/if different devices are compromised. In other words, if one of my devices with a public/private key is compromised, the hacker will only be able to do what that one public/private key combination lets them.



For example:




  • I have a server at home running Linux with OpenSSH server running on it

  • I have a few desktops at home that use public/private keys to access the server

  • I have a laptop that will run a SFTP based sync client to sync the laptop's C:UsersmeDocuments with the server's /home/me/docs/laptop/


For that last bullet, I want to secure it such that if my laptop is compromised th bad actor won't be able to use the public/private keys to gain access to other parts of my server.



My sync client will use automation so I can't use passwords. Using public/private keys will work great because any decent SFTP client can use SSH public/private keys. But, even if my sync client is only configured to access /home/me/docs/laptop/, the key will on the laptop so if a bad actor gets access to the laptop they could use the key to ssh to the box and gain access to other folders.



I looked into chrooting but it seems to work based on the login ID and not the public/private key being used. I don't want to create new login IDs because the files/folders in /home/me will all be owned by the account me and I don't want to muck around with granting other accounts access to different folders like /home/me/docs/laptop/. Plus with chroot the main folder has to be owned by root which won't work for my use-case.







ssh openssh sftp ssh-keys public-key-encryption






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 22 '18 at 6:13







IMTheNachoMan

















asked Dec 21 '18 at 21:15









IMTheNachoManIMTheNachoMan

18712




18712













  • can you assign groups to the user and folders?

    – JacobIRR
    Dec 21 '18 at 21:43











  • no. this is user1's home folder so only user1 has access.

    – IMTheNachoMan
    Dec 21 '18 at 21:45











  • I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.

    – Appleoddity
    Dec 22 '18 at 5:32











  • @Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.

    – IMTheNachoMan
    Dec 22 '18 at 6:13



















  • can you assign groups to the user and folders?

    – JacobIRR
    Dec 21 '18 at 21:43











  • no. this is user1's home folder so only user1 has access.

    – IMTheNachoMan
    Dec 21 '18 at 21:45











  • I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.

    – Appleoddity
    Dec 22 '18 at 5:32











  • @Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.

    – IMTheNachoMan
    Dec 22 '18 at 6:13

















can you assign groups to the user and folders?

– JacobIRR
Dec 21 '18 at 21:43





can you assign groups to the user and folders?

– JacobIRR
Dec 21 '18 at 21:43













no. this is user1's home folder so only user1 has access.

– IMTheNachoMan
Dec 21 '18 at 21:45





no. this is user1's home folder so only user1 has access.

– IMTheNachoMan
Dec 21 '18 at 21:45













I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.

– Appleoddity
Dec 22 '18 at 5:32





I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.

– Appleoddity
Dec 22 '18 at 5:32













@Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.

– IMTheNachoMan
Dec 22 '18 at 6:13





@Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.

– IMTheNachoMan
Dec 22 '18 at 6:13










1 Answer
1






active

oldest

votes


















0














Clarification requested:



You state linux but not if things configuration file lock downs/SELinux user lockdowns are in play or what linux OS this is?



You mention the presence of several users ( presently or planned ) but only seem to imply 1 user on several hosts. Still not seeing how having a sftp chroot would not work here.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1386788%2flimit-sftp-access-to-specific-folders-when-using-a-public-private-key-with-opens%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Clarification requested:



    You state linux but not if things configuration file lock downs/SELinux user lockdowns are in play or what linux OS this is?



    You mention the presence of several users ( presently or planned ) but only seem to imply 1 user on several hosts. Still not seeing how having a sftp chroot would not work here.






    share|improve this answer




























      0














      Clarification requested:



      You state linux but not if things configuration file lock downs/SELinux user lockdowns are in play or what linux OS this is?



      You mention the presence of several users ( presently or planned ) but only seem to imply 1 user on several hosts. Still not seeing how having a sftp chroot would not work here.






      share|improve this answer


























        0












        0








        0







        Clarification requested:



        You state linux but not if things configuration file lock downs/SELinux user lockdowns are in play or what linux OS this is?



        You mention the presence of several users ( presently or planned ) but only seem to imply 1 user on several hosts. Still not seeing how having a sftp chroot would not work here.






        share|improve this answer













        Clarification requested:



        You state linux but not if things configuration file lock downs/SELinux user lockdowns are in play or what linux OS this is?



        You mention the presence of several users ( presently or planned ) but only seem to imply 1 user on several hosts. Still not seeing how having a sftp chroot would not work here.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 26 '18 at 3:45









        linuxdev2013linuxdev2013

        976819




        976819






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1386788%2flimit-sftp-access-to-specific-folders-when-using-a-public-private-key-with-opens%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Plaza Victoria

            Puebla de Zaragoza

            Musa