≡ Menu

How to: Configure User Account to Use a Restricted Shell ( rssh )

Now rssh is installed. Next logical step is configure user to use rssh. All you have to do is set a user account shell to /usr/bin/rssh. The following examples adds user didi to system with /usr/bin/rssh.

Create a new user with /usr/bin/rssh

Login as the root user

Type the following command to create a new user called didi:
# useradd -m -d /home/didi -s /usr/bin/rssh didi
# passwd didi

Change existing user shell to /usr/bin/rssh

Use chsh command or usermod command to change user login shell:
# usermod -s /usr/bin/rssh old-user-name
# usermod -s /usr/bin/rssh vivek
# chsh -s /usr/bin/rssh vivek

Try login via ssh or sftp

Now try login via ssh or sftp using username didi:
$ sftp didi@my.backup.server.com
$ ssh didi@my.backup.server.com

didi@my.backup.server.com's password: TYPE-THE-PASSWORD
Linux my.backup.server.com 2.6.22-14-generic #1 SMP Tue Dec 18 08:02:57 UTC 2007 i686

Last login: Thu Dec 27 16:35:04 2007 from localhost

This account is restricted by rssh.
This user is locked out.

If you believe this is in error, please contact your system administrator.

Connection to my.backup.server.com closed.

By default rssh configuration locks down everything including any sort of access.

Grant access to sftp and scp for all users

The default action for rssh to lock down everything. To grant access to scp or sftp open /etc/rssh.conf file:
# vi /etc/rssh.conf
Append or uncomment following two lines

Save and close the file. rssh reads configuration file on fly (there is no rssh service exists). Now user should able to run scp and sftp commands, but no shell access is granted:
$ scp /path/to/file didi@my.backup.server.com:/.
$ sftp didi@my.backup.server.com:/.

Connecting to lmy.backup.server.com...
didi@my.backup.server.com's password: 
sftp> pwd
Remote working directory: /home/didi

Understanding command configuration options

You need to add following keywords / directives to allow or disallow scp / sftp and other commands:

  • allowscp : Tells the shell that scp is allowed.
  • allowsftp : Tells the shell that sftp is allowed.
  • allowcvs : Tells the shell that cvs is allowed.
  • allowrdist : Tells the shell that rdist is allowed.
  • allowrsync : Tells the shell that rsync is allowed.

Tip: Create a group for rssh users, and limit executable access to the binaries to users in that group to improve security. Please use standard file permissions carefully and appropriately.

Share this on:

Your support makes a big difference:
I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft, takes a lot of my time and hard work to produce. If you use nixCraft, who likes it, helps me with donations:
Become a Supporter →    Make a contribution via Paypal/Bitcoin →   

Don't Miss Any Linux and Unix Tips

Get nixCraft in your inbox. It's free:

{ 15 comments… add one }
  • Pinoy Compuworld April 24, 2008, 5:58 am

    This article is a life saver. I am a freeBSD sysad but was forced to use centos! thanks man! im subscribing to your RSS Feeds!

  • Shubhendu June 25, 2008, 7:47 am

    I want to transfer file to other machine using
    scp or sftp. How can I use the scp or sftp in my
    shell script so that the system takes the password for sftp automatically.

  • stan July 3, 2008, 4:14 pm

    Nice tutorial!

    I was just happy that I found what I needed, but it seems there’s somethig that I’m missing.

    I need user friendly interface to upload/dowload files (for my friends) and rsync (for me :) ). So I uncommented “allowscp”, “allowsftp” and “allowrsync”. I tested ssh, scp and sftp in console and everythig worked as expected, but when I tried to connect with gFTP (I’m using Ubuntu Hardy) and selected SSH2 connection, I was available to browse the direcroties below my user’s home dir. In that case rssh is not really “restricted”. Is this some bug?

    gFTP connects to the remote host with “ssh -e none -l myusername -s sftp”. When I type it in the console and enter the password, the cursor blinks on the next row until I press Ctrl+C. In the auth.log says:
    Connection from port 36633
    Failed none for myusername from port 36633 ssh2
    Accepted password for myusername from port 36633 ssh2
    pam_unix(sshd:session): session opened for user myusername by (uid=0)
    subsystem request for sftp

    I’ll make a post in ubuntuforums.org, but tought it will be usefull for others if we find what’s the reason for this behaviour.

    I would preffer using rssh whithout chroot, so please help me solve this issue.

  • agrd_sn November 19, 2010, 7:50 am

    i use filezilla and got this error:
    Error: Connection closed by server with exitcode 128
    Error: Could not connect to server
    how to resolv this problem?
    thx b4.


    • Esteban du Plantier January 17, 2011, 7:34 pm

      Nope, you need to add the user account to the rsshusers group :-)
      ls -la /usr/bin/rssh
      -rwxr-x— 1 root rsshusers 22276 Nov 4 16:27 /usr/bin/rssh

  • agrd_sn November 19, 2010, 7:56 am

    i’ve found it.
    i add permission (x) for others to execute /usr/bin/rssh

    • Sanchit January 17, 2013, 5:36 pm

      i am facing similar problem which you were facing ?how did you resolve it.
      Error: Connection closed by server with exitcode 128
      Error: Could not connect to server

  • Apu May 7, 2011, 2:25 pm

    where do i can get the rssh package and what i have to do at /usr/bin/rssh file

  • Apu May 7, 2011, 2:28 pm

    rssh package is available at http://packages.sw.be/rssh/

  • Shells October 10, 2011, 8:48 pm

    If I try to connect over ssh, I get an immediate Connection Closed. On Filezilla, I get exitcode 1. Any ideas?

    • Shells October 10, 2011, 8:50 pm

      Actually, to clarify: Over ssh, I get an “account restricted by ssh” message, allowed commands: scp sftp. And then a connection closed.

      • nixCraft October 11, 2011, 2:45 pm

        It means, shell access is not allowed. You can only upload or download files using sftp/scp client.

        • mro December 2, 2012, 12:29 am

          i also have this exitcode 1 issue.

          i can not connect successfully with sftp

          Command: open “USER@DOMAIN” 22
          Command: Pass: ********
          Status: Connected to DOMAIN
          Error: Connection closed by server with exitcode 1
          Error: Could not connect to server

          when i login via ssh i get this exitcode error and it disconnects

  • John December 1, 2011, 1:47 am

    Thanks, I was getting the connection closed error and adding the user to rsshusers worked!

    /usr/sbin/usermod -a -G rsshusers username

  • bharat June 22, 2012, 6:56 am

    Hi Vivek,

    I have created account by rssh and then applied chroot by your article: http://www.cyberciti.biz/tips/howto-linux-unix-rssh-chroot-jail-setup.html
    And also have allowscp & allowsftp flags un-commented.

    But then when I try to scp I get following error:
    unknown user 504
    Any idea?

Leave a Comment

   Tagged with: , , , , , , , , , , , ,