How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh
FTP is insecure protocol, but file-transfer is required all time. You can use OpenSSH Server to transfer file using SCP and SFTP (secure ftp) without setting up an FTP server. However, this feature also grants ssh shell access to a user. Basically OpenSSH requires a valid shell. Here is how sftp works:
SCP/SFTP -> SSHD -> Call sftpd subsystem -> Requires a shell -> User can login to server and run other commands.
In this article series we will help you provide secure restricted file-transfer services to your users without resorting to FTP. It also covers chroot jail setup instructions to lock down users to their own home directories (allow users to transfer files but not browse the entire Linux / UNIX file system of the server) as well as per user configurations.
rssh ~ a restricted shell
rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that.
Supported operations using rssh
Restricted shell only allows following operations only:
- scp - Secure file copy
- sftp - Secure FTP
- cvs - Concurrent Versions System ~ you can easily retrieve old versions to see exactly which change caused the bug
- rsync - Backup and sync file system
- rdist - Backup / RDist program maintains identical copies of files on multiple hosts.
Install rssh
CentOS / Fedora / RHEL Linux rssh installation
Visit Dag's repo to grab rssh package
# cd /tmp
# wget http://dag.wieers.com/rpm/packages/rssh/rssh-2.3.2-1.2.el5.rf.i386.rpm
# rpm -ivh rssh-2.3.2-1.2.el5.rf.i386.rpm
Debian / Ubuntu Linux rssh installation
Use apt-get command:
$ sudo apt-get install rssh
FreeBSD installation
# cd /usr/ports/shells/rssh
# make install clean
Make sure you build binary with rsync support.
rssh configuration file
- Default configuration file is located at /etc/rssh.conf (FreeBSD - /usr/local/etc/rssh.conf)
- Default rssh binary location /usr/bin/rssh (FreeBSD - /usr/local/bin/rssh)
- Default port none - ( openssh 22 port used - rssh is shell with security features)
Continue reading rest of the rssh a restricted shell series.
Contents
- How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh
- How to: Configure User Account to Use a Restricted Shell ( rssh )
- Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only
- rssh: Per User Configuration Options For Chroot Jail
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- Chroot in OpenSSH / SFTP Feature Added To OpenSSH
- How to: Configure User Account to Use a Restricted Shell ( rssh )
- rssh: Per User Configuration Options For Chroot Jail
- Howto: Add a new yum repository to install software under CentOS / Redhat Linux
- Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: /etc/rssh.conf, /etc/sysconfig/syslog, chroot conf, chroot howto, chroot jail, chroot mknode, chroot shell, chroot users, debian chroot, fedora chroot, install rssh, redhat chroot, rssh chroot, rssh connection closed, scponly chroot, sftp, sftp chroot, sshd chroot, syslogd



How about a suse procedure?
john,
The procedure is same for Suse Linux, just download and install rpm file
As a note, rssh is available in Mandriva Contribs (for 2008 and Cooker at least). So ‘urpmi rssh’ should work fine.
The developer of rssh quit the development of rssh two years ago. I wouldn’t recommend to use rssh since security issues won’t be fixed. Better use scponly…
For those using Ubuntu (tested on Gutsy 7.10), I suggest that you follow these instructions:
http://geekzine.org/2007/09/28/easy-sftp-and-chroot-sftp-with-scponly/
FreeMa
Hi Vivic,
Thank a lot, I a have installed the SFTP server using the above procedure. Now i want that users can login using there public and private key pairs instead of passwords.Is it possible? can any one help me please. Thanks.