Hi! [ If this is the wrong mailing list for such requests, please apologize and direct me to the right one ] Since I have a particular use case for it[0], I wonder if it would be possible to implement a key based (i.e. configured via ~/.ssh/authorized_keys option) restriction to allow sftp access to a specific directory only. I'm aware that I can restrict a specific key to use sftp only using 'command="internal-sftp"', but I want to impose an additional restriction to a specific directory, e.g. by adding 'sftp-chroot="/some/directory"'. This is already possible on a per-user basis in sshd_config using ChrootDirectory, but my question is: - Would it be possible to implement this feature on a per-key basis within the current architecture of OpenSSH (i.e. without major tweaks to the codebase)? - If so, is this a feature that would be considered worthwhile enough to be considered for inclusion, should someone step up and provide a reasonable implementation? If the answer is no to either of the above questions, I'd like to hear that reasoning of well, of course. If that feature is deemed both implementable (without affecting the OpenSSH architecture) and worthwhile, I might try my hand at it, although note that I'm both a newbie to the OpenSSH project's development, and would do this in my spare time, thus it'd probably take a while, and require (quite?) a bit of steering/review. If anyone has ideas (e.g. areas of code that would require changes) of how that feature can/should be implemented, or would like to implement it themselves, I'm all ears :-). [0] For the specific use case I mentioned: I'd like for my mobile device to have SFTP access, restricted to a specific directory on my server. It should have access using my regular account, such that access permissions between my regular shell account and the files created by the mobile device are compatible. Currently I solve this use case using a combination of access via WebDAV and POSIX ACLs, but I'd prefer an SSH-based solution for its stronger authentication/crypto, not requiring ACLs, and avoiding UIDs differing between files created by the WebDAV httpd and the shell account. Regards, Rotty -- Andreas Rottmann -- <http://rotty.xx.vu/> _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev