2

I can restrict a key installed into ~/.ssh/authorized_keys to only allow file transfers by forcing an in-process SFTP server:

command="internal-sftp" ssh-rsa AAAAB3NzaC1...(the key follows)

However, using sftp connection it is possible to transfer a new version of authorized_keys to the server, with the restriction removed, new keys added and so on. Afterwards, it is possible to connect interactively.

File transfers are exceptionally dangerous due to this possibility. Is there any way to prevent this, for example, to forbid access to anything within ~/.ssh/ when using internal-sftp?

Improve this question
2
  • This user is using different keys for different purposes, not necessarily SFTP. All of them are going to be restricted, though. If you are thinking about restricting if by forcing command in sshd_config and making an SFTP-only user, that won't fit. Commented Oct 13, 2022 at 11:46
  • Yeah, that would have been my first idea. I don't know if it is possible to restrict SFTP usage in the way you want - the only thing I could imagine would be a tailored SELinux policy, but I have too little experience to figure out how to do it in practice. Commented Oct 13, 2022 at 12:23

2 Answers 2

Reset to default
1

Not sure there isn't another way to get around this. At least I haven't found it with the LXC container I'm using to test it.

As root chattr +i .ssh/authorized_keys

Then the user can't modify the file.

A possible other way would be change the location of authorized_keys or even make it look them up with a script. Then the user can't modify the keys ever.

Even a third option is use ssh certificates with the lockdown for command in the cert for the sftp only users and a second cert that doesn't have that lockdown.

Improve this answer
1
  • What I waned for the user to be able to protect their own authorized_keys from modification using sftp when connected using particular key(s), still allowing them everything else if they are using other keys. The intention is that this key is for sftp only, not that this user is sftp only or it is restricted in other ways. Commented Oct 5, 2024 at 5:44
0

If you dont need write access you can use the following.

command="internal-sftp -P write" ssh-rsa AAAAB3NzaC1...(the key follows)

From the manpage:

-P blacklisted_request

Specify a comma-separated list of SFTP protocol requests that are banned by the server. sftp-server will reply to any blacklisted request with a failure. The -Q flag can be used to determine the supported request types. If both a blacklist and a whitelist are specified, then the blacklist is applied before the whitelist.

Here is a list of 'requests'.

open
close
read
write
lstat
fstat
setstat
fsetstat
opendir
readdir
remove
mkdir
rmdir
realpath
stat
rename
readlink
symlink
posix-rename
statvfs
fstatvfs
hardlink
fsync
lsetstat
Improve this answer
1
  • I do need a write access for everything except ~/.ssh. The problem is not to limit what to do, but also to limit where it is allowed to be done. I knew about man sftp-server, thanks. Commented Dec 2, 2024 at 5:58

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.