FTP is insecure protocol, but file-transfer is required all time. You can use OpenSSH Server to transfer file using SCP and SFTP (secure ftp) without setting up an FTP server. However, this feature also grants ssh shell access to a user. Basically OpenSSH requires a valid shell. Here is how sftp works:
SCP/SFTP -> SSHD -> Call sftpd subsystem -> Requires a shell -> User can login to server and run other commands.
In this article series we will help you provide secure restricted file-transfer services to your users without resorting to FTP. It also covers chroot jail setup instructions to lock down users to their own home directories (allow users to transfer files but not browse the entire Linux / UNIX file system of the server) as well as per user configurations.
rssh ~ a restricted shell
rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that.
Supported operations using rssh
Restricted shell only allows following operations only:
- scp - Secure file copy
- sftp - Secure FTP
- cvs - Concurrent Versions System ~ you can easily retrieve old versions to see exactly which change caused the bug
- rsync - Backup and sync file system
- rdist - Backup / RDist program maintains identical copies of files on multiple hosts.
Install rssh
CentOS / Fedora / RHEL Linux rssh installation
Visit Dag's repo to grab rssh package
# cd /tmp
# wget http://dag.wieers.com/rpm/packages/rssh/rssh-2.3.2-1.2.el5.rf.i386.rpm
# rpm -ivh rssh-2.3.2-1.2.el5.rf.i386.rpm
Debian / Ubuntu Linux rssh installation
Use apt-get command:
$ sudo apt-get install rssh
FreeBSD installation
# cd /usr/ports/shells/rssh
# make install clean
Make sure you build binary with rsync support.
rssh configuration file
- Default configuration file is located at /etc/rssh.conf (FreeBSD - /usr/local/etc/rssh.conf)
- Default rssh binary location /usr/bin/rssh (FreeBSD - /usr/local/bin/rssh)
- Default port none - ( openssh 22 port used - rssh is shell with security features)
Continue reading rest of the rssh a restricted shell series.
Contents
- How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh
- How to: Configure User Account to Use a Restricted Shell ( rssh )
- Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only
- rssh: Per User Configuration Options For Chroot Jail
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- 10 Greatest Open Source Software Of 2009
- My 10 UNIX Command Line Mistakes
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
- Email this to a friend
- Download PDF version
- Printable version
- Comment RSS feed
- Last Updated: Dec/31/2007
{ 11 comments… read them below or add one }
How about a suse procedure?
john,
The procedure is same for Suse Linux, just download and install rpm file
As a note, rssh is available in Mandriva Contribs (for 2008 and Cooker at least). So ‘urpmi rssh’ should work fine.
The developer of rssh quit the development of rssh two years ago. I wouldn’t recommend to use rssh since security issues won’t be fixed. Better use scponly…
For those using Ubuntu (tested on Gutsy 7.10), I suggest that you follow these instructions:
http://geekzine.org/2007/09/28/easy-sftp-and-chroot-sftp-with-scponly/
FreeMa
Hi Vivic,
Thank a lot, I a have installed the SFTP server using the above procedure. Now i want that users can login using there public and private key pairs instead of passwords.Is it possible? can any one help me please. Thanks.
Why install this rssh?
This is awesome! Thank you for posting this.
Girish
Not sure what to download for Suse Enterprise?
I’ve chrooted my SSH with this patch. Works perfect for me. Maybe check that page for other OpenSSH versions.
Hi, thanks for the article. It helped a lot.
But I have a requirement to allow internal transmissions using FTP and using the same account. After I setup RSSH and change the shell on an SFTP/FTP account to RSSH, the user can no longer access the server via SSH, but only allows SFTP. But it also rejects FTP access. Is there a way around this…?