rssh: Per User Configuration Options For Chroot Jail

last updated in Categories Debian Linux, File system, FreeBSD, Howto, Linux, Networking, RedHat/Fedora Linux, Security, Suse Linux, Sys admin, Tuning, Ubuntu Linux, UNIX, User Management

rssh is a restricted shell for providing limited access to a host via ssh. It also allows system wide configuration and per user configuration. From the man page:
The user configuration directive allows for the configuration of options on a per-user basis. THIS KEYWORD OVERRIDES ALL OTHER KEYWORDS FOR THE SPECIFIED USER. That is, if you use a user keyword for user foo, then foo will use only the settings in that user line, and not any of the settings set with the keywords above. The user keyword’s argument consists of a group of fields separated by a colon (:), as shown below. The fields are, in order:

  • username : The username of the user for whom the entry provides options
  • umask : The umask for this user, in octal, just as it would be specified to the shell access bits. Five binary digits, which indicate whether the user is allowed to use rsync, rdist, cvs, sftp, and scp, in that order. One means the command is allowed, zero means it is not.
  • path : The directory to which this user should be chrooted (this is not a command, it is a directory name).

rssh examples of configuring per-user options

Open /etc/rssh.conf file:
# vi /etc/rssh.conf
All user tom to bypass our chroot jail:
Provide jerry cvs access with no chroot:
Provide spike rsync access with no chroot:
Provide tyke access with chroot jail located at /users
user="tyke:011:00001:/users" # whole user string can be quoted
if your chroot_path contains spaces, it must be quoted. Provide nibbles scp access with chroot directory:
user=nibbles:011:00001:"/usr/local/tv/shows/tom and jerry"

Recommended readings:

=> rssh home page
=> Redhat specific chroot jail script (outdated)
=> Refer man pages: rssh.conf, rssh, ssh, sshd, sftp, scp, rsync, sshd_config

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

6 comment

  1. First thank you Vivek! This serie has been very helpfull to me.

    At the end, I was not able to have the most important thing working on my box. I found a solution for that and hope that others can help this as well.

    Still I am struggling with some options which not seem to work on my side. I’ll try to explain further on. First let me try to explain what I have done.

    My box runs CentOS 5.1 and all of this series settings I have carried out and it’s working like a charm. But as soon as I am filling in the home directory for a user, it blocks this user who is not able to login anymore.

    In rssh.conf I have now (all comments and not active options left out):
    logfacility = LOG_USER
    umask = 022
    chrootpath = /users

    With this, my user(s) can login with SFTP and can browse all the files but they reside in /users which they see as the root (/). So that’s fine!

    Ok, next I set it up for a _per_user_ specification.
    My rssh.conf has now only the following:
    logfacility = LOG_USER
    umask = 022

    With the above, my user sftptry has full access over the complete system, so even outside /users. The ‘chrootpath’ option on or off has no effect.

    The only thing now, which is also a safe choice, is that the sftp system is closed for everybody except ‘sftptry’.

    But I like to set it up so my users will only see their own root, and nothing more! So I change my user row to the following:

    Now this user, who was able to login before, is not able to login anymore. No matter what other settings I try (chrootpath on or off, allowXX on or off) it has no effect.

    So here’s my solution for the fact that all users with sftp access can view all files in /users:
    chmod 711 /users/bin
    chmod 711 /users/dev (and /users/etc|lib|usr)

    This way they _see_ the map, but are not able to open it while it can be executed by the system _and_ the user (which is important).

    So, at the end, I have it working close enough the way I want it. But I hope somebody can tell me why it is not working here with the ‘home/map’ option.

  2. Hi,

    I want to setup a server (centos5) for ssh tunneling only where users can’t see other users and are limited to a chroot directory (/users). Is there a way to allow tunneling with this setup or is it already enabled by default?


  3. I’m facing same problem as Richard, users can view the whole jail, restricted access to other user folders.. but at least they know the folder tree… which I don’t want them to know that..


  4. After finishing this walkthrough you really disappointed myself and numerous others above. Your title is incorrect and the resulting setup is incomplete / doesn’t work anything like you mentioned above.


  5. When I follow this guide. When I config chroot (for all user) . The user can not log in to sftp or ssh ( User WinSCP application).
    I try to did it by 3 ways. But all way is the same. The user can not log in to sftp or ssh ( User WinSCP application).
    Please show me how to solve it ?.
    My email

    Thanks so much

    Have a question? Post it on our forum!