2

I know that I can create shortcuts for specific users/servers on the client side via ~/.ssh/config or /etc/ssh/ssh_config, but I would like to do something similar but on the server side.

That is, when I issue on the client:

 ssh [email protected]

I am actually chrooted to

/home/jon/pub

on name.server.top where I will use sftp.

In /etc/ssh/sshd_config I have seen examples as the following:

Subsystem sftp internal-sftp
Match user pub
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

Will also the following work?

    ChrootDirectory /home/jon/pub

Is it possible to create the pub as a sort of virtual user? That is, the remote user logs as pub and his public key is in /home/jon/.ssh/authorized_keys, so without the hassle of creating a separate /home/pub/.ssh/authorized_keys or the /home/pub directory at all.

Improve this question

3 Answers 3

Reset to default
2

If it would work, you should probably have:

  • ChrootDirectory /home/jon
  • the home dir of pub in /etc/passwd just set to /pub.

/home/jon must be owned by root and writable only by root.

You also need a working root dir with all you need in /home/jon, such as bin (for the shell), lib (shared libs), etc (passwd for uid-to-name conversion) and so on.

It is most likely not ChrootDirectory you're after.

You could instead try to create multiple entries in /etc/passwd with the "aliased" user names you wish with different home directories under /home/jon. You can assign the same numerical UID and GID as for the user jon.

I'm not sure the public key authentication will work satisfactorily, though. Try it and comment.

Improve this answer
1
  • I basically implemented your ideas, in my answer. Commented Sep 12, 2014 at 21:05
2

I tested this in a virtual machine context: the SSH server is Cygwin (also VM host); the client is Arch Linux SSH (also VM guest).

I used the following script.
I am not chrooting so I don't need to copy any binaries in the shared folder, only to copy the public key. Anyway I think that, using the internal-sftp (not SSH), binary requirements should be reduced.

#!/bin/sh      

## Setup SFTP access on server side
## using an alias user and to a subdir of the aliased user home
## ------------------------------------------------------------


## Customise
## Shared path inside the aliased user home
sharedpath="/home/jon/pub"
## Aliased user name
altuser="pub"
## Path to the public key of aliased user
pubkey=~/.ssh/pub_rsa.pub


## Add aliased user to /etc/passwd
user=`grep ^$USER /etc/passwd`
txt="$altuser:`echo $user | cut -d: -f2-5`" 
txt="$txt:$sharedpath:`echo $user | cut -d: -f7`" 
echo  $txt>>/etc/passwd


## Set user rules in sshd_config
txt="Match User $altuser
    ForceCommand internal-sftp
    AllowTcpForwarding no
    X11Forwarding no
"
echo "$txt" >>/etc/ssh/sshd_config

## Copy the public key in the shared folder 
mkdir -p "$sharedpath/.ssh"
cp  "$pubkey" "$sharedpath/.ssh/"


## Format sftp line
echo "You can now run on the client (adjust paths accordingly):" 
echo "sftp -i ${pubkey%.*} [email protected]"
Improve this answer
0

You could probably (ab)use the AuthorizedKeysCommand option for fetching public keys from all home directories, although that seems a bit impractical.

As for chrooting, read attentively on ChrootDirectory there is lots of things you would need inside of the chroot for interactive sessions.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.