≡ Menu

backup server

How to: Configure User Account to Use a Restricted Shell ( rssh )

Now rssh is installed. Next logical step is configure user to use rssh. All you have to do is set a user account shell to /usr/bin/rssh. The following examples adds user didi to system with /usr/bin/rssh.

Create a new user with /usr/bin/rssh

Login as the root user

Type the following command to create a new user called didi:
# useradd -m -d /home/didi -s /usr/bin/rssh didi
# passwd didi

Change existing user shell to /usr/bin/rssh

Use chsh command or usermod command to change user login shell:
# usermod -s /usr/bin/rssh old-user-name
# usermod -s /usr/bin/rssh vivek
# chsh -s /usr/bin/rssh vivek

Try login via ssh or sftp

Now try login via ssh or sftp using username didi:
$ sftp didi@my.backup.server.com
$ ssh didi@my.backup.server.com

didi@my.backup.server.com's password: TYPE-THE-PASSWORD
Linux my.backup.server.com 2.6.22-14-generic #1 SMP Tue Dec 18 08:02:57 UTC 2007 i686
Last login: Thu Dec 27 16:35:04 2007 from localhost
This account is restricted by rssh.
This user is locked out.
If you believe this is in error, please contact your system administrator.
Connection to my.backup.server.com closed.

By default rssh configuration locks down everything including any sort of access.

Grant access to sftp and scp for all users

The default action for rssh to lock down everything. To grant access to scp or sftp open /etc/rssh.conf file:
# vi /etc/rssh.conf
Append or uncomment following two lines

Save and close the file. rssh reads configuration file on fly (there is no rssh service exists). Now user should able to run scp and sftp commands, but no shell access is granted:
$ scp /path/to/file didi@my.backup.server.com:/.
$ sftp didi@my.backup.server.com:/.

Connecting to lmy.backup.server.com...
didi@my.backup.server.com's password:
sftp> pwd
Remote working directory: /home/didi

Understanding command configuration options

You need to add following keywords / directives to allow or disallow scp / sftp and other commands:

  • allowscp : Tells the shell that scp is allowed.
  • allowsftp : Tells the shell that sftp is allowed.
  • allowcvs : Tells the shell that cvs is allowed.
  • allowrdist : Tells the shell that rdist is allowed.
  • allowrsync : Tells the shell that rsync is allowed.

Tip: Create a group for rssh users, and limit executable access to the binaries to users in that group to improve security. Please use standard file permissions carefully and appropriately.

SSH: Rotate backup shell script to remove directories (old backup files)

Most time you have a limited space on the remote SFTP/ SSH backup server. Here is the script that periodically cleanup old backup files from the server i.e it will remove old directories.


Script will automatically calculate date from today's date. By default it will keep only last 7 days backup on server. You can easily increase / decrease this limit. In order to run script you must meet the following criteria:

  • Remote SSH server with rm command execution permission
  • SSH Keys for password less login (see how to setup RSA / DSA keys for password less login)
  • Accurate date and time on local system (see how to synchronize clock using ntpdate ntp client)
  • Remote backup directory must be in dd-mm-yyyy or mm-dd-yyyy format. For example daily mysql backup should be stored in /mysql/mm-dd-yyyy format.

Sample Script Usage

Run the script as follows:
./rot.backup.sh 7 /mysql "rm -rf"

  • 7 : Remove last 7 days files
  • /mysql : Base directory to clean up. If todays date is 9/Oct/2007, it will remove last 7 days directory /mysql/02-10-2007, /mysql/01-10-2007, .... /mysql/26-09-2007, /mysql/25-09-2007. It means script will only keep last 7 days backup on remote sftp / ssh server.
  • rm -rf : Command to run on directory structure

Sample Shell Script

Install following script:

if [ "$#" == "0" ];then
  echo "$0 upper-limit path {command}"
  exit 1
### SSH Server setup ###
DIR_FORMAT="%d-%m-%Y" # DD-MM-YYYY format
#DIR_FORMAT="%m-%d-%Y" #MM-DD-YYYY format
## do not edit below ##
LIMIT=$( expr $START + $1 )
## default CMD ##
[ "$3" != "" ] && CMD="$3" || :
[ "$2" != "" ] && SSH_PATH="$2" || :
DAYS=$(for d in $(seq $START $LIMIT);do date --date="$d days ago" +"${DIR_FORMAT}"; done)
for d in $DAYS
  ssh ${SSH_USER}@${SSH_SERVER} ${CMD} ${SSH_PATH}/$d

Run above script via cron tab (cronjob):
@daily /path/to/rot.ssh.script 7 "/html" "rm -rf"
@daily /path/to/rot.ssh.script 7 "/mysql" "rm -rf"