How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh

by on December 31, 2007 · 25 comments· LAST UPDATED December 31, 2007

in , ,

FTP is insecure protocol, but file-transfer is required all time. You can use OpenSSH Server to transfer file using SCP and SFTP (secure ftp) without setting up an FTP server. However, this feature also grants ssh shell access to a user. Basically OpenSSH requires a valid shell. Here is how sftp works:

SCP/SFTP -> SSHD -> Call sftpd subsystem -> Requires a shell -> User can login to server and run other commands.

In this article series we will help you provide secure restricted file-transfer services to your users without resorting to FTP. It also covers chroot jail setup instructions to lock down users to their own home directories (allow users to transfer files but not browse the entire Linux / UNIX file system of the server) as well as per user configurations.

rssh ~ a restricted shell

rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that.

Supported operations using rssh

Restricted shell only allows following operations only:

  • scp - Secure file copy
  • sftp - Secure FTP
  • cvs - Concurrent Versions System ~ you can easily retrieve old versions to see exactly which change caused the bug
  • rsync - Backup and sync file system
  • rdist - Backup / RDist program maintains identical copies of files on multiple hosts.

Install rssh

CentOS / Fedora / RHEL Linux rssh installation

Visit Dag's repo to grab rssh package
# cd /tmp
# wget http://dag.wieers.com/rpm/packages/rssh/rssh-2.3.2-1.2.el5.rf.i386.rpm
# rpm -ivh rssh-2.3.2-1.2.el5.rf.i386.rpm

Debian / Ubuntu Linux rssh installation

Use apt-get command:
$ sudo apt-get install rssh

FreeBSD installation

# cd /usr/ports/shells/rssh
# make install clean

Make sure you build binary with rsync support.

rssh configuration file

  • Default configuration file is located at /etc/rssh.conf (FreeBSD - /usr/local/etc/rssh.conf)
  • Default rssh binary location /usr/bin/rssh (FreeBSD - /usr/local/bin/rssh)
  • Default port none - ( openssh 22 port used - rssh is shell with security features)
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 25 comments… read them below or add one }

1 john January 2, 2008 at 8:45 pm

How about a suse procedure?

Reply

2 nixCraft January 2, 2008 at 8:58 pm

john,

The procedure is same for Suse Linux, just download and install rpm file

Reply

3 J.P. Pasnak January 2, 2008 at 9:52 pm

As a note, rssh is available in Mandriva Contribs (for 2008 and Cooker at least). So ‘urpmi rssh’ should work fine.

Reply

4 Christoph Langner January 4, 2008 at 12:19 am

The developer of rssh quit the development of rssh two years ago. I wouldn’t recommend to use rssh since security issues won’t be fixed. Better use scponly…

Reply

5 FreeMa January 22, 2008 at 3:22 pm

For those using Ubuntu (tested on Gutsy 7.10), I suggest that you follow these instructions:

http://geekzine.org/2007/09/28/easy-sftp-and-chroot-sftp-with-scponly/

FreeMa

Reply

6 khurram June 25, 2008 at 4:53 pm

Hi Vivic,

Thank a lot, I a have installed the SFTP server using the above procedure. Now i want that users can login using there public and private key pairs instead of passwords.Is it possible? can any one help me please. Thanks.

Reply

7 Webagentur November 5, 2008 at 3:28 pm

Why install this rssh?

Reply

8 Girish April 29, 2009 at 3:59 pm

This is awesome! Thank you for posting this.

Girish

Reply

9 speller April 30, 2009 at 12:32 am

Not sure what to download for Suse Enterprise?

Reply

10 Hans Ruedi August 16, 2009 at 9:55 am

I’ve chrooted my SSH with this patch. Works perfect for me. Maybe check that page for other OpenSSH versions.

Reply

11 jigs October 15, 2009 at 12:17 am

Hi, thanks for the article. It helped a lot.

But I have a requirement to allow internal transmissions using FTP and using the same account. After I setup RSSH and change the shell on an SFTP/FTP account to RSSH, the user can no longer access the server via SSH, but only allows SFTP. But it also rejects FTP access. Is there a way around this…?

Reply

12 Bbp June 2, 2010 at 12:18 am

I didn’t tried it yet, but, as I understand it, you can use rssh if you want to restrict the user access to SFTP, SCP, rsync and a few other services. If you want to allow the user to use SSH, FTP and more, there is no reason to use rssh for that user.

Reply

13 Anonymous June 9, 2010 at 5:01 pm

add it into /etc/shells

Reply

14 ordenador October 9, 2014 at 2:48 pm

thank u, add into /etc/shells, work for FTP!!

Reply

15 jeantoe February 25, 2010 at 3:10 pm

hi ,when i try to ssh i got a message “This account is restricted by rssh.
This user is locked out.If you believe this is in error, please contact your system administrator.” how do i changeit ?
thank you

Reply

16 Jay June 14, 2011 at 4:26 pm

Look at the title of the article and then go away.

Reply

17 Venkatesh August 12, 2010 at 12:47 am

Vivek:
I do not want the users to land on their respective user home directory for example, /users/vivek, instead I want them to land only on /users/vivek/data and not even be able to jump to /users/vivek. Where should we make the change, in the etc/passwd file?

Reply

18 paul March 2, 2011 at 6:05 am

Does RSSH allow SSH tunnels?

Reply

19 radiant_exitence March 17, 2011 at 1:06 am

Hi,
I hope someone can answer my question about scp and sftp in openSUSE 11.3. I tried to use internal sftpd and it was working ok but you cannot do scp with internal sftpd. Of course i also want to chroot users in jail which internal sftpd allows you to do but you cannot scp. Are there any instructions how to do it or some of you know how it is done

Reply

20 John Willis March 31, 2011 at 7:09 am

I had a great deal of trouble getting this to work on RHEL 5.6 i386 until I discovered there was a permissions problem with several directories.

Tips
1. yum install rssh-2.3.2-1.2.el5.rf.i386.rpm and consider version locking, later versions seem broken
2. /etc/rssh.conf – uncomment #allowscp and #allowsftp and set the chrootpath =
3. chmod o+x the chrootpath
4. cd chrootpath
5. mkdir dev etc lib usr
6. chmod 755 *
7. mknod -m 666 //dev/null c 1 3
8. cp /etc/group /etc/passwd /etc/ld.so.cache /etc/ld.so.conf /etc/ld.so.conf.d /etc/nsswitch.conf to //etc
9. cp the /lib ldd results to //lib
A. cd chrootpath/usr
B. mkdir lib libexec
C. chmod o+x *
D. cp the /usr/lib ldd results to //usr/lib
E. cp rssh_chroot_helper to //usr/libexec
F. chmod 655 rssh_chroot_helper
G. mkdir openssh
H. cp sftp-server //usr/libexec/openssh
I. chmod 755 sftp-server

Persistently the problems I ran into were (a) not copying /etc/group and /etc/passwd or leaving them empty.. they need at a minimum entries for root and the users that will sftp into the chrootpath (b) not realizing the importance of the o+x on the chrootpath and the directories holding the rssh_chroot_helper and sftp-server

I finally stumbled upon the issue by temporarily chmod -R 777 across the entire chrootpath on a test box and working the problem backwards once it was working, removing unnecessary things and permissions.

The debugging built into sshd and rssh were not very helpful, straces of the rssh shell and sftp-server were equally not useful in debugging the problem. The results of the straces seemed to indicate there were no problems accessing all files.

I suspect the logging would have been more helpful with a “full” duplicate of the operating system in the chroot instead of a minimal system, with the minimal resources the debug logging did not occur after chroot took place.

Reply

21 John Willis March 31, 2011 at 7:13 am

addendum

the Tips above include a “chrootpath” between the “double” slashes “//” but the comment posting system interpreted those due to html tag brackets as html and removed the “left angel bracket” chrootpath “right angle bracket”

just thought I’d mention the “double” slashes were important to intepreting the Tips

Reply

22 CXO March 13, 2012 at 6:01 pm

When using (CentOS 6.2 x64 – using prebuilt RPMS from repoforge), all appears well, except when runing (rsync), it fails with an “insecure -e option not allowed” message on the client and:

Mar 13 13:57:47 dco-rsync1 rssh[2307]: setting log facility to LOG_USER
Mar 13 13:57:47 dco-rsync1 rssh[2307]: setting umask to 022
Mar 13 13:57:47 dco-rsync1 rssh[2307]: chrooting all users to /var/chroot
Mar 13 13:57:47 dco-rsync1 rssh[2307]: line 30: configuring user cxo
Mar 13 13:57:47 dco-rsync1 rssh[2307]: setting cxo’s umask to 011
Mar 13 13:57:47 dco-rsync1 rssh[2307]: allowing rsync to user cxo
Mar 13 13:57:47 dco-rsync1 rssh[2307]: chrooting cxo to /var/chroot/home/cxo
Mar 13 13:57:47 dco-rsync1 rssh[2307]: insecure -e option in rdist command line!
Mar 13 13:57:47 dco-rsync1 rssh[2307]: user cxo attempted to execute forbidden commands
Mar 13 13:57:47 dco-rsync1 rssh[2307]: command: rsync –server –sender -de.s –list-only .

rsync command looks “wierd” and the notion of “rdist” shouldn’t be. Thoughts?

Reply

23 CXO March 13, 2012 at 6:27 pm

Apparently “–protocol=29″ on client side fixes this. Brings me to next hurdle…

Reply

24 Siddharth R April 8, 2013 at 9:33 pm

Can we do rsync with scponly shell for the account not /bin/bash ?

Reply

25 john willis November 16, 2013 at 1:10 pm

i dont think so, because scponly does not include shell support.. but this is a guess, a lot of scponly intentions also require shell support in the change root jail.. unless scponly has included a minimal set of shell commands it will always be better to use rssh.. that is why its still pursued as a proper solution.. no guessing involved, it is the same as having a full service scp and shell support

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , ,

Previous post:

Next post: