rssh: Per User Configuration Options For Chroot Jail

rssh is a restricted shell for providing limited access to a host via ssh. It also allows system wide configuration and per user configuration. From the man page:
The user configuration directive allows for the configuration of options on a per-user basis. THIS KEYWORD OVERRIDES ALL OTHER KEYWORDS FOR THE SPECIFIED USER. That is, if you use a user keyword for user foo, then foo will use only the settings in that user line, and not any of the settings set with the keywords above. The user keyword’s argument consists of a group of fields separated by a colon (:), as shown below. The fields are, in order:

  • username : The username of the user for whom the entry provides options
  • umask : The umask for this user, in octal, just as it would be specified to the shell access bits. Five binary digits, which indicate whether the user is allowed to use rsync, rdist, cvs, sftp, and scp, in that order. One means the command is allowed, zero means it is not.
  • path : The directory to which this user should be chrooted (this is not a command, it is a directory name).

rssh examples of configuring per-user options

Open /etc/rssh.conf file:
# vi /etc/rssh.conf
All user tom to bypass our chroot jail:
Provide jerry cvs access with no chroot:
Provide spike rsync access with no chroot:
Provide tyke access with chroot jail located at /users
user="tyke:011:00001:/users" # whole user string can be quoted
if your chroot_path contains spaces, it must be quoted. Provide nibbles scp access with chroot directory:
user=nibbles:011:00001:"/usr/local/tv/shows/tom and jerry"

Recommended readings:

=> rssh home page
=> Redhat specific chroot jail script (outdated)
=> Refer man pages: rssh.conf, rssh, ssh, sshd, sftp, scp, rsync, sshd_config

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 6 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
6 comments… add one
  • Richard Jun 17, 2008 @ 2:16

    First thank you Vivek! This serie has been very helpfull to me.

    At the end, I was not able to have the most important thing working on my box. I found a solution for that and hope that others can help this as well.

    Still I am struggling with some options which not seem to work on my side. I’ll try to explain further on. First let me try to explain what I have done.

    My box runs CentOS 5.1 and all of this series settings I have carried out and it’s working like a charm. But as soon as I am filling in the home directory for a user, it blocks this user who is not able to login anymore.

    In rssh.conf I have now (all comments and not active options left out):
    logfacility = LOG_USER
    umask = 022
    chrootpath = /users

    With this, my user(s) can login with SFTP and can browse all the files but they reside in /users which they see as the root (/). So that’s fine!

    Ok, next I set it up for a _per_user_ specification.
    My rssh.conf has now only the following:
    logfacility = LOG_USER
    umask = 022

    With the above, my user sftptry has full access over the complete system, so even outside /users. The ‘chrootpath’ option on or off has no effect.

    The only thing now, which is also a safe choice, is that the sftp system is closed for everybody except ‘sftptry’.

    But I like to set it up so my users will only see their own root, and nothing more! So I change my user row to the following:

    Now this user, who was able to login before, is not able to login anymore. No matter what other settings I try (chrootpath on or off, allowXX on or off) it has no effect.

    So here’s my solution for the fact that all users with sftp access can view all files in /users:
    chmod 711 /users/bin
    chmod 711 /users/dev (and /users/etc|lib|usr)

    This way they _see_ the map, but are not able to open it while it can be executed by the system _and_ the user (which is important).

    So, at the end, I have it working close enough the way I want it. But I hope somebody can tell me why it is not working here with the ‘home/map’ option.

  • Chris G. Sellers Dec 15, 2008 @ 21:46

    Do your users come from a directory (e.g. LDAP or NIS ?)

  • wuhaa Feb 10, 2009 @ 16:04


    I want to setup a server (centos5) for ssh tunneling only where users can’t see other users and are limited to a chroot directory (/users). Is there a way to allow tunneling with this setup or is it already enabled by default?


  • Chito Punk Oct 27, 2009 @ 13:59

    I’m facing same problem as Richard, users can view the whole jail, restricted access to other user folders.. but at least they know the folder tree… which I don’t want them to know that..


  • iMakeInternet Feb 4, 2010 @ 20:39

    After finishing this walkthrough you really disappointed myself and numerous others above. Your title is incorrect and the resulting setup is incomplete / doesn’t work anything like you mentioned above.


  • Hoang Minh Hoa Apr 23, 2010 @ 9:21

    When I follow this guide. When I config chroot (for all user) . The user can not log in to sftp or ssh ( User WinSCP application).
    I try to did it by 3 ways. But all way is the same. The user can not log in to sftp or ssh ( User WinSCP application).
    Please show me how to solve it ?.
    My email

    Thanks so much

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum