limit sftp access to specific folders when using a public/private key with openssh












0















Is it possible to limit what folders a user can sftp to when using public/private keys?



Say I have a server with user1 and their home folder is /home/user1. I already have it configured so user1 can SSH to the server using public/private keys. Right now they can also sftp to the server using the same public/private keys and this lets them see the same files/folders they could if they had SSHd.



I want to create a new set of public/private keys that would be used just for sftp but I want to make it so this set of keys only lets them view files/folders in /home/user1/data/.



I don't see a way to do this through authorized_keys so I am wondering if there is another way to do it?



Update



The reason I want to minimize risk when/if different devices are compromised. In other words, if one of my devices with a public/private key is compromised, the hacker will only be able to do what that one public/private key combination lets them.



For example:




  • I have a server at home running Linux with OpenSSH server running on it

  • I have a few desktops at home that use public/private keys to access the server

  • I have a laptop that will run a SFTP based sync client to sync the laptop's C:UsersmeDocuments with the server's /home/me/docs/laptop/


For that last bullet, I want to secure it such that if my laptop is compromised th bad actor won't be able to use the public/private keys to gain access to other parts of my server.



My sync client will use automation so I can't use passwords. Using public/private keys will work great because any decent SFTP client can use SSH public/private keys. But, even if my sync client is only configured to access /home/me/docs/laptop/, the key will on the laptop so if a bad actor gets access to the laptop they could use the key to ssh to the box and gain access to other folders.



I looked into chrooting but it seems to work based on the login ID and not the public/private key being used. I don't want to create new login IDs because the files/folders in /home/me will all be owned by the account me and I don't want to muck around with granting other accounts access to different folders like /home/me/docs/laptop/. Plus with chroot the main folder has to be owned by root which won't work for my use-case.






ssh openssh sftp ssh-keys public-key-encryption







share|improve this question

























  • can you assign groups to the user and folders?

    – JacobIRR
    Dec 21 '18 at 21:43











  • no. this is user1's home folder so only user1 has access.

    – IMTheNachoMan
    Dec 21 '18 at 21:45











  • I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.

    – Appleoddity
    Dec 22 '18 at 5:32











  • @Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.

    – IMTheNachoMan
    Dec 22 '18 at 6:13
















0















Is it possible to limit what folders a user can sftp to when using public/private keys?



Say I have a server with user1 and their home folder is /home/user1. I already have it configured so user1 can SSH to the server using public/private keys. Right now they can also sftp to the server using the same public/private keys and this lets them see the same files/folders they could if they had SSHd.



I want to create a new set of public/private keys that would be used just for sftp but I want to make it so this set of keys only lets them view files/folders in /home/user1/data/.



I don't see a way to do this through authorized_keys so I am wondering if there is another way to do it?



Update



The reason I want to minimize risk when/if different devices are compromised. In other words, if one of my devices with a public/private key is compromised, the hacker will only be able to do what that one public/private key combination lets them.



For example:




  • I have a server at home running Linux with OpenSSH server running on it

  • I have a few desktops at home that use public/private keys to access the server

  • I have a laptop that will run a SFTP based sync client to sync the laptop's C:UsersmeDocuments with the server's /home/me/docs/laptop/


For that last bullet, I want to secure it such that if my laptop is compromised th bad actor won't be able to use the public/private keys to gain access to other parts of my server.



My sync client will use automation so I can't use passwords. Using public/private keys will work great because any decent SFTP client can use SSH public/private keys. But, even if my sync client is only configured to access /home/me/docs/laptop/, the key will on the laptop so if a bad actor gets access to the laptop they could use the key to ssh to the box and gain access to other folders.



I looked into chrooting but it seems to work based on the login ID and not the public/private key being used. I don't want to create new login IDs because the files/folders in /home/me will all be owned by the account me and I don't want to muck around with granting other accounts access to different folders like /home/me/docs/laptop/. Plus with chroot the main folder has to be owned by root which won't work for my use-case.






ssh openssh sftp ssh-keys public-key-encryption







share|improve this question

























  • can you assign groups to the user and folders?

    – JacobIRR
    Dec 21 '18 at 21:43











  • no. this is user1's home folder so only user1 has access.

    – IMTheNachoMan
    Dec 21 '18 at 21:45











  • I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.

    – Appleoddity
    Dec 22 '18 at 5:32











  • @Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.

    – IMTheNachoMan
    Dec 22 '18 at 6:13














0












0








0








Is it possible to limit what folders a user can sftp to when using public/private keys?



Say I have a server with user1 and their home folder is /home/user1. I already have it configured so user1 can SSH to the server using public/private keys. Right now they can also sftp to the server using the same public/private keys and this lets them see the same files/folders they could if they had SSHd.



I want to create a new set of public/private keys that would be used just for sftp but I want to make it so this set of keys only lets them view files/folders in /home/user1/data/.



I don't see a way to do this through authorized_keys so I am wondering if there is another way to do it?



Update



The reason I want to minimize risk when/if different devices are compromised. In other words, if one of my devices with a public/private key is compromised, the hacker will only be able to do what that one public/private key combination lets them.



For example:




  • I have a server at home running Linux with OpenSSH server running on it

  • I have a few desktops at home that use public/private keys to access the server

  • I have a laptop that will run a SFTP based sync client to sync the laptop's C:UsersmeDocuments with the server's /home/me/docs/laptop/


For that last bullet, I want to secure it such that if my laptop is compromised th bad actor won't be able to use the public/private keys to gain access to other parts of my server.



My sync client will use automation so I can't use passwords. Using public/private keys will work great because any decent SFTP client can use SSH public/private keys. But, even if my sync client is only configured to access /home/me/docs/laptop/, the key will on the laptop so if a bad actor gets access to the laptop they could use the key to ssh to the box and gain access to other folders.



I looked into chrooting but it seems to work based on the login ID and not the public/private key being used. I don't want to create new login IDs because the files/folders in /home/me will all be owned by the account me and I don't want to muck around with granting other accounts access to different folders like /home/me/docs/laptop/. Plus with chroot the main folder has to be owned by root which won't work for my use-case.






ssh openssh sftp ssh-keys public-key-encryption







share|improve this question
















Is it possible to limit what folders a user can sftp to when using public/private keys?



Say I have a server with user1 and their home folder is /home/user1. I already have it configured so user1 can SSH to the server using public/private keys. Right now they can also sftp to the server using the same public/private keys and this lets them see the same files/folders they could if they had SSHd.



I want to create a new set of public/private keys that would be used just for sftp but I want to make it so this set of keys only lets them view files/folders in /home/user1/data/.



I don't see a way to do this through authorized_keys so I am wondering if there is another way to do it?



Update



The reason I want to minimize risk when/if different devices are compromised. In other words, if one of my devices with a public/private key is compromised, the hacker will only be able to do what that one public/private key combination lets them.



For example:




  • I have a server at home running Linux with OpenSSH server running on it

  • I have a few desktops at home that use public/private keys to access the server

  • I have a laptop that will run a SFTP based sync client to sync the laptop's C:UsersmeDocuments with the server's /home/me/docs/laptop/


For that last bullet, I want to secure it such that if my laptop is compromised th bad actor won't be able to use the public/private keys to gain access to other parts of my server.



My sync client will use automation so I can't use passwords. Using public/private keys will work great because any decent SFTP client can use SSH public/private keys. But, even if my sync client is only configured to access /home/me/docs/laptop/, the key will on the laptop so if a bad actor gets access to the laptop they could use the key to ssh to the box and gain access to other folders.



I looked into chrooting but it seems to work based on the login ID and not the public/private key being used. I don't want to create new login IDs because the files/folders in /home/me will all be owned by the account me and I don't want to muck around with granting other accounts access to different folders like /home/me/docs/laptop/. Plus with chroot the main folder has to be owned by root which won't work for my use-case.






ssh openssh sftp ssh-keys public-key-encryption




ssh openssh sftp ssh-keys public-key-encryption






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 22 '18 at 6:13







IMTheNachoMan

















asked Dec 21 '18 at 21:15









IMTheNachoManIMTheNachoMan

18712




18712













  • can you assign groups to the user and folders?

    – JacobIRR
    Dec 21 '18 at 21:43











  • no. this is user1's home folder so only user1 has access.

    – IMTheNachoMan
    Dec 21 '18 at 21:45











  • I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.

    – Appleoddity
    Dec 22 '18 at 5:32











  • @Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.

    – IMTheNachoMan
    Dec 22 '18 at 6:13



















  • can you assign groups to the user and folders?

    – JacobIRR
    Dec 21 '18 at 21:43











  • no. this is user1's home folder so only user1 has access.

    – IMTheNachoMan
    Dec 21 '18 at 21:45











  • I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.

    – Appleoddity
    Dec 22 '18 at 5:32











  • @Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.

    – IMTheNachoMan
    Dec 22 '18 at 6:13

















can you assign groups to the user and folders?

– JacobIRR
Dec 21 '18 at 21:43





can you assign groups to the user and folders?

– JacobIRR
Dec 21 '18 at 21:43













no. this is user1's home folder so only user1 has access.

– IMTheNachoMan
Dec 21 '18 at 21:45





no. this is user1's home folder so only user1 has access.

– IMTheNachoMan
Dec 21 '18 at 21:45













I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.

– Appleoddity
Dec 22 '18 at 5:32





I wasn’t using public/private keys, but I just got done dealing with this. Just look up using chroot with sFTP and there are dozens of well written articles. Or maybe specify why this doesn’t meet your needs.

– Appleoddity
Dec 22 '18 at 5:32













@Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.

– IMTheNachoMan
Dec 22 '18 at 6:13





@Appleoddity I looked into chroot but it won't work for my use-case. I updated the question with more details.

– IMTheNachoMan
Dec 22 '18 at 6:13










1 Answer
1






active

oldest

votes


















0














Clarification requested:



You state linux but not if things configuration file lock downs/SELinux user lockdowns are in play or what linux OS this is?



You mention the presence of several users ( presently or planned ) but only seem to imply 1 user on several hosts. Still not seeing how having a sftp chroot would not work here.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1386788%2flimit-sftp-access-to-specific-folders-when-using-a-public-private-key-with-opens%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Clarification requested:



    You state linux but not if things configuration file lock downs/SELinux user lockdowns are in play or what linux OS this is?



    You mention the presence of several users ( presently or planned ) but only seem to imply 1 user on several hosts. Still not seeing how having a sftp chroot would not work here.






    share|improve this answer




























      0














      Clarification requested:



      You state linux but not if things configuration file lock downs/SELinux user lockdowns are in play or what linux OS this is?



      You mention the presence of several users ( presently or planned ) but only seem to imply 1 user on several hosts. Still not seeing how having a sftp chroot would not work here.






      share|improve this answer


























        0












        0








        0







        Clarification requested:



        You state linux but not if things configuration file lock downs/SELinux user lockdowns are in play or what linux OS this is?



        You mention the presence of several users ( presently or planned ) but only seem to imply 1 user on several hosts. Still not seeing how having a sftp chroot would not work here.






        share|improve this answer













        Clarification requested:



        You state linux but not if things configuration file lock downs/SELinux user lockdowns are in play or what linux OS this is?



        You mention the presence of several users ( presently or planned ) but only seem to imply 1 user on several hosts. Still not seeing how having a sftp chroot would not work here.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 26 '18 at 3:45









        linuxdev2013linuxdev2013

        976819




        976819






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1386788%2flimit-sftp-access-to-specific-folders-when-using-a-public-private-key-with-opens%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Plaza Victoria

            Image
            Plaza Victoria Plaza Victoria en 2017 Otros nombres Plaza de La Victoria Localización El Almendral, Valparaíso, Chile Vías adyacentes Chacabuco, Molina, Plaza Victoria y Edwards Creación 1841 Metro Bellavista Ubicación 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 Coordenadas: 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 [editar datos en Wikidata] La Plaza Victoria , también llamada Plaza de la Victoria , [ 1 ] ​ es una plaza ubicada en el sector El Almendral del plan de la ciudad de Valparaíso, Chile, de importancia patrimonial, que incluye valiosas estatuas y especies vegetales. [ 2 ] ​ La plaza se creó como tal en la primera mitad del siglo XIX, tomando previamente los nombres de Plaza Nueva y Plaza de Orrego . Si bien desde sus inicios tuvo relevancia histórica, no fue sino a partir de fines de los años 1860 cuando comenzó a cobrar mayor importancia y se convirtió en uno de los principales centros sociales de l
            Read more

            In PowerPoint, is there a keyboard shortcut for bulleted / numbered list?

            Image
            .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 2 OneNote has two useful keyboard shortcuts for bulleted and numbered lists, namely Ctrl + . and Ctrl + - . Is there something similar for PowerPoint where the work with lists is also very common? Haven't found anything here: Use keyboard shortcuts in PowerPoint. keyboard-shortcuts microsoft-powerpoint share | improve this question edited Aug 14 '14 at 14:49 Linger 2,826 10 28 40
            Read more

            How to put 3 figures in Latex with 2 figures side by side and 1 below these side by side images but in...

            Image
            1 0 I want to put 3 images in LateX such as 2 figures are side by side horizotally and 3rd figure below these 2 side by side figures but in middle. I have following code: begin{figure}[H] centering begin{minipage}{.5textwidth} centering includegraphics[width=.50linewidth]{Text/Images/Genelec_8010_AP.jpg} captionof{figure}{Genelec 8010 AP} label{fig:Genelec 8010} end{minipage}% begin{minipage}{.5textwidth} centering includegraphics[width=.69linewidth]{Text/Images/Genelec_8020_CPM.jpg} captionof{figure}{Genelec 8020 CPM} label{fig:Genelec 8020} end{minipage}% end{figure} %%Here is my 3rd picture code begin{figure} centering includegraphics[width=5cm]{Text/Images/Genelec_8030_BPM.jpg} caption{Genelec 8030 BPM} label{fig:Genelec 8030} end{figure} I want to ask ho
            Read more