3

Say, I have an account on my remote server storage where uses can upload and download data from. I add the SSH key of the allowed users manually to /home/storage/.ssh/authorized_keys. Now, I have two users that use different public SSH keys, Watson and Sherlock.

How can I make sure that Watson can not upload to/download from Sherlocks private gallery? Is it possible to define file/folder permission based on the SSH key that was used to authenticate?

I thought about a restricted shell program that is set as the storage user's shell. But how can this restricted shell find out what SSH key was used?

Niklas R
  • 16,299
  • 28
  • 108
  • 203
  • 1
    If you don't want them to share permissions then don't share a user account. If you *need* to share a user account you can look at what `gitolite` does for this scenario. – Etan Reisner Nov 13 '14 at 17:31

1 Answers1

6

You can try using the command option in the /home/storage/.ssh/authorized_keys file, with a restricted shell, like this:

command="cd /home/storage/watson && rbash" ssh-rsa AAAAB3...2Z <- watson's public key
command="cd /home/storage/sherlock && rbash" ssh-rsa AAAAB4...R5 <- sherlock's public key

Now the user will get a restricted shell in a subdirectory depending on which private key is used.

damienfrancois
  • 52,978
  • 9
  • 96
  • 110