Comments on: How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh

By: Jay

Jay — Tue, 14 Jun 2011 16:26:08 +0000

Look at the title of the article and then go away.

By: John Willis

John Willis — Thu, 31 Mar 2011 07:13:44 +0000

addendum

the Tips above include a “chrootpath” between the “double” slashes “//” but the comment posting system interpreted those due to html tag brackets as html and removed the “left angel bracket” chrootpath “right angle bracket”

just thought I’d mention the “double” slashes were important to intepreting the Tips

By: John Willis

John Willis — Thu, 31 Mar 2011 07:09:49 +0000

I had a great deal of trouble getting this to work on RHEL 5.6 i386 until I discovered there was a permissions problem with several directories.

Tips
1. yum install rssh-2.3.2-1.2.el5.rf.i386.rpm and consider version locking, later versions seem broken
2. /etc/rssh.conf – uncomment #allowscp and #allowsftp and set the chrootpath =
3. chmod o+x the chrootpath
4. cd chrootpath
5. mkdir dev etc lib usr
6. chmod 755 *
7. mknod -m 666 //dev/null c 1 3
8. cp /etc/group /etc/passwd /etc/ld.so.cache /etc/ld.so.conf /etc/ld.so.conf.d /etc/nsswitch.conf to //etc
9. cp the /lib ldd results to //lib
A. cd chrootpath/usr
B. mkdir lib libexec
C. chmod o+x *
D. cp the /usr/lib ldd results to //usr/lib
E. cp rssh_chroot_helper to //usr/libexec
F. chmod 655 rssh_chroot_helper
G. mkdir openssh
H. cp sftp-server //usr/libexec/openssh
I. chmod 755 sftp-server

Persistently the problems I ran into were (a) not copying /etc/group and /etc/passwd or leaving them empty.. they need at a minimum entries for root and the users that will sftp into the chrootpath (b) not realizing the importance of the o+x on the chrootpath and the directories holding the rssh_chroot_helper and sftp-server

I finally stumbled upon the issue by temporarily chmod -R 777 across the entire chrootpath on a test box and working the problem backwards once it was working, removing unnecessary things and permissions.

The debugging built into sshd and rssh were not very helpful, straces of the rssh shell and sftp-server were equally not useful in debugging the problem. The results of the straces seemed to indicate there were no problems accessing all files.

I suspect the logging would have been more helpful with a “full” duplicate of the operating system in the chroot instead of a minimal system, with the minimal resources the debug logging did not occur after chroot took place.

By: radiant_exitence

radiant_exitence — Thu, 17 Mar 2011 01:06:50 +0000

Hi,
I hope someone can answer my question about scp and sftp in openSUSE 11.3. I tried to use internal sftpd and it was working ok but you cannot do scp with internal sftpd. Of course i also want to chroot users in jail which internal sftpd allows you to do but you cannot scp. Are there any instructions how to do it or some of you know how it is done

By: paul

paul — Wed, 02 Mar 2011 06:05:11 +0000

Does RSSH allow SSH tunnels?

By: Venkatesh

Venkatesh — Thu, 12 Aug 2010 00:47:50 +0000

Vivek:
I do not want the users to land on their respective user home directory for example, /users/vivek, instead I want them to land only on /users/vivek/data and not even be able to jump to /users/vivek. Where should we make the change, in the etc/passwd file?

By: Anonymous

Anonymous — Wed, 09 Jun 2010 17:01:42 +0000

add it into /etc/shells

By: jeantoe

jeantoe — Thu, 25 Feb 2010 15:10:02 +0000

hi ,when i try to ssh i got a message “This account is restricted by rssh.
This user is locked out.If you believe this is in error, please contact your system administrator.” how do i changeit ?
thank you

By: jigs

jigs — Thu, 15 Oct 2009 00:17:27 +0000

Hi, thanks for the article. It helped a lot.

But I have a requirement to allow internal transmissions using FTP and using the same account. After I setup RSSH and change the shell on an SFTP/FTP account to RSSH, the user can no longer access the server via SSH, but only allows SFTP. But it also rejects FTP access. Is there a way around this…?

By: Hans Ruedi

Hans Ruedi — Sun, 16 Aug 2009 09:55:13 +0000

I've chrooted my SSH with this patch. Works perfect for me. Maybe check that page for other OpenSSH versions.

By: speller

speller — Thu, 30 Apr 2009 00:32:11 +0000

Not sure what to download for Suse Enterprise?

By: Girish

Girish — Wed, 29 Apr 2009 15:59:48 +0000

This is awesome! Thank you for posting this.

Girish

By: Webagentur

Webagentur — Wed, 05 Nov 2008 15:28:25 +0000

Why install this rssh?

By: khurram

khurram — Wed, 25 Jun 2008 16:53:31 +0000

Hi Vivic,

Thank a lot, I a have installed the SFTP server using the above procedure. Now i want that users can login using there public and private key pairs instead of passwords.Is it possible? can any one help me please. Thanks.

By: FreeMa

FreeMa — Tue, 22 Jan 2008 15:22:46 +0000

For those using Ubuntu (tested on Gutsy 7.10), I suggest that you follow these instructions:

http://geekzine.org/2007/09/28/easy-sftp-and-chroot-sftp-with-scponly/

FreeMa

By: Christoph Langner

Christoph Langner — Fri, 04 Jan 2008 00:19:54 +0000

The developer of rssh quit the development of rssh two years ago. I wouldn’t recommend to use rssh since security issues won’t be fixed. Better use scponly…

By: J.P. Pasnak

J.P. Pasnak — Wed, 02 Jan 2008 21:52:20 +0000

As a note, rssh is available in Mandriva Contribs (for 2008 and Cooker at least). So ‘urpmi rssh’ should work fine.

By: vivek

vivek — Wed, 02 Jan 2008 20:58:57 +0000

john,

The procedure is same for Suse Linux, just download and install rpm file

By: john

john — Wed, 02 Jan 2008 20:45:44 +0000

How about a suse procedure?