How to: Configure User Account to Use a Restricted Shell ( rssh )
Now rssh is installed. Next logical step is configure user to use rssh. All you have to do is set a user account shell to /usr/bin/rssh. The following examples adds user didi to system with /usr/bin/rssh.
Create a new user with /usr/bin/rssh
Login as the root user
Type the following command to create a new user called didi:
# useradd -m -d /home/didi -s /usr/bin/rssh didi
# passwd didi
Change existing user shell to /usr/bin/rssh
Use chsh command or usermod command to change user login shell:
# usermod -s /usr/bin/rssh old-user-name
# usermod -s /usr/bin/rssh vivek
# chsh -s /usr/bin/rssh vivek
Try login via ssh or sftp
Now try login via ssh or sftp using username didi:
$ sftp didi@my.backup.server.com
OR
$ ssh didi@my.backup.server.com
Output:
didi@my.backup.server.com's password: TYPE-THE-PASSWORD
Linux my.backup.server.com 2.6.22-14-generic #1 SMP Tue Dec 18 08:02:57 UTC 2007 i686
Last login: Thu Dec 27 16:35:04 2007 from localhost
This account is restricted by rssh.
This user is locked out.
If you believe this is in error, please contact your system administrator.
Connection to my.backup.server.com closed.
By default rssh configuration locks down everything including any sort of access.
Grant access to sftp and scp for all users
The default action for rssh to lock down everything. To grant access to scp or sftp open /etc/rssh.conf file:
# vi /etc/rssh.conf
Append or uncomment following two lines
allowscp
allowsftp
Save and close the file. rssh reads configuration file on fly (there is no rssh service exists). Now user should able to run scp and sftp commands, but no shell access is granted:
$ scp /path/to/file didi@my.backup.server.com:/.
OR
$ sftp didi@my.backup.server.com:/.
Output:
Connecting to lmy.backup.server.com... didi@my.backup.server.com's password: sftp> pwd Remote working directory: /home/didi sftp>
Understanding command configuration options
You need to add following keywords / directives to allow or disallow scp / sftp and other commands:
- allowscp : Tells the shell that scp is allowed.
- allowsftp : Tells the shell that sftp is allowed.
- allowcvs : Tells the shell that cvs is allowed.
- allowrdist : Tells the shell that rdist is allowed.
- allowrsync : Tells the shell that rsync is allowed.
Tip: Create a group for rssh users, and limit executable access to the binaries to users in that group to improve security. Please use standard file permissions carefully and appropriately.
Continue reading rest of the rssh a restricted shell series.
Contents
- How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh
- How to: Configure User Account to Use a Restricted Shell ( rssh )
- Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only
- rssh: Per User Configuration Options For Chroot Jail
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh
- rssh: Per User Configuration Options For Chroot Jail
- Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only
- Chroot in OpenSSH / SFTP Feature Added To OpenSSH
- Lighttpd restrict or deny access by IP address
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: /etc/rssh.conf, backup server, chsh command, grant access, lock shell access, passwd, rssh, rssh conf, rssh connection closed, rssh shell, sftp commands, shell, this account is restricted by rssh



This article is a life saver. I am a freeBSD sysad but was forced to use centos! thanks man! im subscribing to your RSS Feeds!
I want to transfer file to other machine using
scp or sftp. How can I use the scp or sftp in my
shell script so that the system takes the password for sftp automatically.
Nice tutorial!
I was just happy that I found what I needed, but it seems there’s somethig that I’m missing.
I need user friendly interface to upload/dowload files (for my friends) and rsync (for me
). So I uncommented “allowscp”, “allowsftp” and “allowrsync”. I tested ssh, scp and sftp in console and everythig worked as expected, but when I tried to connect with gFTP (I’m using Ubuntu Hardy) and selected SSH2 connection, I was available to browse the direcroties below my user’s home dir. In that case rssh is not really “restricted”. Is this some bug?
gFTP connects to the remote host with “ssh -e none -l myusername 192.168.0.110 -s sftp”. When I type it in the console and enter the password, the cursor blinks on the next row until I press Ctrl+C. In the auth.log says:
Connection from 192.168.0.130 port 36633
Failed none for myusername from 192.168.0.130 port 36633 ssh2
Accepted password for myusername from 192.168.0.130 port 36633 ssh2
pam_unix(sshd:session): session opened for user myusername by (uid=0)
subsystem request for sftp
I’ll make a post in ubuntuforums.org, but tought it will be usefull for others if we find what’s the reason for this behaviour.
I would preffer using rssh whithout chroot, so please help me solve this issue.