limit sftp access to specific folders when using a public/private key with openssh
Is it possible to limit what folders a user can sftp
to when using public/private keys?
Say I have a server with user1
and their home folder is /home/user1
. I already have it configured so user1
can SSH to the server using public/private keys. Right now they can also sftp
to the server using the same public/private keys and this lets them see the same files/folders they could if they had SSHd.
I want to create a new set of public/private keys that would be used just for sftp
but I want to make it so this set of keys only lets them view files/folders in /home/user1/data/
.
I don't see a way to do this through authorized_keys
so I am wondering if there is another way to do it?
Update
The reason I want to minimize risk when/if different devices are compromised. In other words, if one of my devices with a public/private key is compromised, the hacker will only be able to do what that one public/private key combination lets them.
For example:
- I have a server at home running Linux with OpenSSH server running on it
- I have a few desktops at home that use public/private keys to access the server
- I have a laptop that will run a SFTP based sync client to sync the laptop's
C:UsersmeDocuments
with the server's/home/me/docs/laptop/
For that last bullet, I want to secure it such that if my laptop is compromised th bad actor won't be able to use the public/private keys to gain access to other parts of my server.
My sync client will use automation so I can't use passwords. Using public/private keys will work great because any decent SFTP client can use SSH public/private keys. But, even if my sync client is only configured to access /home/me/docs/laptop/
, the key will on the laptop so if a bad actor gets access to the laptop they could use the key to ssh to the box and gain access to other folders.
I looked into chrooting but it seems to work based on the login ID and not the public/private key being used. I don't want to create new login IDs because the files/folders in /home/me
will all be owned by the account me
and I don't want to muck around with granting other accounts access to different folders like /home/me/docs/laptop/
. Plus with chroot the main folder has to be owned by root which won't work for my use-case.
ssh openssh sftp ssh-keys public-key-encryption
add a comment |
Is it possible to limit what folders a user can sftp
to when using public/private keys?
Say I have a server with user1
and their home folder is /home/user1
. I already have it configured so user1
can SSH to the server using public/private keys. Right now they can also sftp
to the server using the same public/private keys and this lets them see the same files/folders they could if they had SSHd.
I want to create a new set of public/private keys that would be used just for sftp
but I want to make it so this set of keys only lets them view files/folders in /home/user1/data/
.
I don't see a way to do this through authorized_keys
so I am wondering if there is another way to do it?
Update
The reason I want to minimize risk when/if different devices are compromised. In other words, if one of my devices with a public/private key is compromised, the hacker will only be able to do what that one public/private key combination lets them.
For example:
- I have a server at home running Linux with OpenSSH server running on it
- I have a few desktops at home that use public/private keys to access the server
- I have a laptop that will run a SFTP based sync client to sync the laptop's
C:UsersmeDocuments
with the server's/home/me/docs/laptop/
For that last bullet, I want to secure it such that if my laptop is compromised th bad actor won't be able to use the public/private keys to gain access to other parts of my server.
My sync client will use automation so I can't use passwords. Using public/private keys will work great because any decent SFTP client can use SSH public/private keys. But, even if my sync client is only configured to access /home/me/docs/laptop/
, the key will on the laptop so if a bad actor gets access to the laptop they could use the key to ssh to the box and gain access to other folders.
I looked into chrooting but it seems to work based on the login ID and not the public/private key being used. I don't want to create new login IDs because the files/folders in /home/me
will all be owned by the account me
and I don't want to muck around with granting other accounts access to different folders like /home/me/docs/laptop/
. Plus with chroot the main folder has to be owned by root which won't work for my use-case.
ssh openssh sftp ssh-keys public-key-encryption
can you assign groups to the user and folders?
– JacobIRR
Dec 21 '18 at 21:43
no. this isuser1
's home folder so onlyuser1
has access.
– IMTheNachoMan
Dec 21 '18 at 21:45
I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.
– Appleoddity
Dec 22 '18 at 5:32
@Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.
– IMTheNachoMan
Dec 22 '18 at 6:13
add a comment |
Is it possible to limit what folders a user can sftp
to when using public/private keys?
Say I have a server with user1
and their home folder is /home/user1
. I already have it configured so user1
can SSH to the server using public/private keys. Right now they can also sftp
to the server using the same public/private keys and this lets them see the same files/folders they could if they had SSHd.
I want to create a new set of public/private keys that would be used just for sftp
but I want to make it so this set of keys only lets them view files/folders in /home/user1/data/
.
I don't see a way to do this through authorized_keys
so I am wondering if there is another way to do it?
Update
The reason I want to minimize risk when/if different devices are compromised. In other words, if one of my devices with a public/private key is compromised, the hacker will only be able to do what that one public/private key combination lets them.
For example:
- I have a server at home running Linux with OpenSSH server running on it
- I have a few desktops at home that use public/private keys to access the server
- I have a laptop that will run a SFTP based sync client to sync the laptop's
C:UsersmeDocuments
with the server's/home/me/docs/laptop/
For that last bullet, I want to secure it such that if my laptop is compromised th bad actor won't be able to use the public/private keys to gain access to other parts of my server.
My sync client will use automation so I can't use passwords. Using public/private keys will work great because any decent SFTP client can use SSH public/private keys. But, even if my sync client is only configured to access /home/me/docs/laptop/
, the key will on the laptop so if a bad actor gets access to the laptop they could use the key to ssh to the box and gain access to other folders.
I looked into chrooting but it seems to work based on the login ID and not the public/private key being used. I don't want to create new login IDs because the files/folders in /home/me
will all be owned by the account me
and I don't want to muck around with granting other accounts access to different folders like /home/me/docs/laptop/
. Plus with chroot the main folder has to be owned by root which won't work for my use-case.
ssh openssh sftp ssh-keys public-key-encryption
Is it possible to limit what folders a user can sftp
to when using public/private keys?
Say I have a server with user1
and their home folder is /home/user1
. I already have it configured so user1
can SSH to the server using public/private keys. Right now they can also sftp
to the server using the same public/private keys and this lets them see the same files/folders they could if they had SSHd.
I want to create a new set of public/private keys that would be used just for sftp
but I want to make it so this set of keys only lets them view files/folders in /home/user1/data/
.
I don't see a way to do this through authorized_keys
so I am wondering if there is another way to do it?
Update
The reason I want to minimize risk when/if different devices are compromised. In other words, if one of my devices with a public/private key is compromised, the hacker will only be able to do what that one public/private key combination lets them.
For example:
- I have a server at home running Linux with OpenSSH server running on it
- I have a few desktops at home that use public/private keys to access the server
- I have a laptop that will run a SFTP based sync client to sync the laptop's
C:UsersmeDocuments
with the server's/home/me/docs/laptop/
For that last bullet, I want to secure it such that if my laptop is compromised th bad actor won't be able to use the public/private keys to gain access to other parts of my server.
My sync client will use automation so I can't use passwords. Using public/private keys will work great because any decent SFTP client can use SSH public/private keys. But, even if my sync client is only configured to access /home/me/docs/laptop/
, the key will on the laptop so if a bad actor gets access to the laptop they could use the key to ssh to the box and gain access to other folders.
I looked into chrooting but it seems to work based on the login ID and not the public/private key being used. I don't want to create new login IDs because the files/folders in /home/me
will all be owned by the account me
and I don't want to muck around with granting other accounts access to different folders like /home/me/docs/laptop/
. Plus with chroot the main folder has to be owned by root which won't work for my use-case.
ssh openssh sftp ssh-keys public-key-encryption
ssh openssh sftp ssh-keys public-key-encryption
edited Dec 22 '18 at 6:13
IMTheNachoMan
asked Dec 21 '18 at 21:15
IMTheNachoManIMTheNachoMan
18712
18712
can you assign groups to the user and folders?
– JacobIRR
Dec 21 '18 at 21:43
no. this isuser1
's home folder so onlyuser1
has access.
– IMTheNachoMan
Dec 21 '18 at 21:45
I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.
– Appleoddity
Dec 22 '18 at 5:32
@Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.
– IMTheNachoMan
Dec 22 '18 at 6:13
add a comment |
can you assign groups to the user and folders?
– JacobIRR
Dec 21 '18 at 21:43
no. this isuser1
's home folder so onlyuser1
has access.
– IMTheNachoMan
Dec 21 '18 at 21:45
I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.
– Appleoddity
Dec 22 '18 at 5:32
@Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.
– IMTheNachoMan
Dec 22 '18 at 6:13
can you assign groups to the user and folders?
– JacobIRR
Dec 21 '18 at 21:43
can you assign groups to the user and folders?
– JacobIRR
Dec 21 '18 at 21:43
no. this is
user1
's home folder so only user1
has access.– IMTheNachoMan
Dec 21 '18 at 21:45
no. this is
user1
's home folder so only user1
has access.– IMTheNachoMan
Dec 21 '18 at 21:45
I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.
– Appleoddity
Dec 22 '18 at 5:32
I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.
– Appleoddity
Dec 22 '18 at 5:32
@Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.
– IMTheNachoMan
Dec 22 '18 at 6:13
@Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.
– IMTheNachoMan
Dec 22 '18 at 6:13
add a comment |
1 Answer
1
active
oldest
votes
Clarification requested:
You state linux but not if things configuration file lock downs/SELinux user lockdowns are in play or what linux OS this is?
You mention the presence of several users ( presently or planned ) but only seem to imply 1 user on several hosts. Still not seeing how having a sftp chroot would not work here.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1386788%2flimit-sftp-access-to-specific-folders-when-using-a-public-private-key-with-opens%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Clarification requested:
You state linux but not if things configuration file lock downs/SELinux user lockdowns are in play or what linux OS this is?
You mention the presence of several users ( presently or planned ) but only seem to imply 1 user on several hosts. Still not seeing how having a sftp chroot would not work here.
add a comment |
Clarification requested:
You state linux but not if things configuration file lock downs/SELinux user lockdowns are in play or what linux OS this is?
You mention the presence of several users ( presently or planned ) but only seem to imply 1 user on several hosts. Still not seeing how having a sftp chroot would not work here.
add a comment |
Clarification requested:
You state linux but not if things configuration file lock downs/SELinux user lockdowns are in play or what linux OS this is?
You mention the presence of several users ( presently or planned ) but only seem to imply 1 user on several hosts. Still not seeing how having a sftp chroot would not work here.
Clarification requested:
You state linux but not if things configuration file lock downs/SELinux user lockdowns are in play or what linux OS this is?
You mention the presence of several users ( presently or planned ) but only seem to imply 1 user on several hosts. Still not seeing how having a sftp chroot would not work here.
answered Dec 26 '18 at 3:45
linuxdev2013linuxdev2013
976819
976819
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1386788%2flimit-sftp-access-to-specific-folders-when-using-a-public-private-key-with-opens%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
can you assign groups to the user and folders?
– JacobIRR
Dec 21 '18 at 21:43
no. this is
user1
's home folder so onlyuser1
has access.– IMTheNachoMan
Dec 21 '18 at 21:45
I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.
– Appleoddity
Dec 22 '18 at 5:32
@Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.
– IMTheNachoMan
Dec 22 '18 at 6:13