How to: Configure User Account to Use a Restricted Shell ( rssh )

Now rssh is installed. Next logical step is configure user to use rssh. All you have to do is set a user account shell to /usr/bin/rssh. The following examples adds user didi to system with /usr/bin/rssh.

Create a new user with /usr/bin/rssh

Login as the root user

Type the following command to create a new user called didi:
# useradd -m -d /home/didi -s /usr/bin/rssh didi
# passwd didi

Change existing user shell to /usr/bin/rssh

Use chsh command or usermod command to change user login shell:
# usermod -s /usr/bin/rssh old-user-name
# usermod -s /usr/bin/rssh vivek
# chsh -s /usr/bin/rssh vivek

Try login via ssh or sftp

Now try login via ssh or sftp using username didi:
$ sftp
$ ssh
Output:'s password: TYPE-THE-PASSWORD
Linux 2.6.22-14-generic #1 SMP Tue Dec 18 08:02:57 UTC 2007 i686

Last login: Thu Dec 27 16:35:04 2007 from localhost

This account is restricted by rssh.
This user is locked out.

If you believe this is in error, please contact your system administrator.

Connection to closed.

By default rssh configuration locks down everything including any sort of access.

Grant access to sftp and scp for all users

The default action for rssh to lock down everything. To grant access to scp or sftp open /etc/rssh.conf file:
# vi /etc/rssh.conf
Append or uncomment following two lines

Save and close the file. rssh reads configuration file on fly (there is no rssh service exists). Now user should able to run scp and sftp commands, but no shell access is granted:
$ scp /path/to/file
$ sftp

Connecting to's password:
sftp> pwd
Remote working directory: /home/didi

Understanding command configuration options

You need to add following keywords / directives to allow or disallow scp / sftp and other commands:

  • allowscp : Tells the shell that scp is allowed.
  • allowsftp : Tells the shell that sftp is allowed.
  • allowcvs : Tells the shell that cvs is allowed.
  • allowrdist : Tells the shell that rdist is allowed.
  • allowrsync : Tells the shell that rsync is allowed.

Tip: Create a group for rssh users, and limit executable access to the binaries to users in that group to improve security. Please use standard file permissions carefully and appropriately.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 15 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
15 comments… add one
  • Pinoy Compuworld Apr 24, 2008 @ 5:58

    This article is a life saver. I am a freeBSD sysad but was forced to use centos! thanks man! im subscribing to your RSS Feeds!

  • Shubhendu Jun 25, 2008 @ 7:47

    I want to transfer file to other machine using
    scp or sftp. How can I use the scp or sftp in my
    shell script so that the system takes the password for sftp automatically.

  • stan Jul 3, 2008 @ 16:14

    Nice tutorial!

    I was just happy that I found what I needed, but it seems there’s somethig that I’m missing.

    I need user friendly interface to upload/dowload files (for my friends) and rsync (for me 🙂 ). So I uncommented “allowscp”, “allowsftp” and “allowrsync”. I tested ssh, scp and sftp in console and everythig worked as expected, but when I tried to connect with gFTP (I’m using Ubuntu Hardy) and selected SSH2 connection, I was available to browse the direcroties below my user’s home dir. In that case rssh is not really “restricted”. Is this some bug?

    gFTP connects to the remote host with “ssh -e none -l myusername -s sftp”. When I type it in the console and enter the password, the cursor blinks on the next row until I press Ctrl+C. In the auth.log says:
    Connection from port 36633
    Failed none for myusername from port 36633 ssh2
    Accepted password for myusername from port 36633 ssh2
    pam_unix(sshd:session): session opened for user myusername by (uid=0)
    subsystem request for sftp

    I’ll make a post in, but tought it will be usefull for others if we find what’s the reason for this behaviour.

    I would preffer using rssh whithout chroot, so please help me solve this issue.

  • agrd_sn Nov 19, 2010 @ 7:50

    i use filezilla and got this error:
    Error: Connection closed by server with exitcode 128
    Error: Could not connect to server
    how to resolv this problem?
    thx b4.


    • Esteban du Plantier Jan 17, 2011 @ 19:34

      Nope, you need to add the user account to the rsshusers group 🙂
      ls -la /usr/bin/rssh
      -rwxr-x— 1 root rsshusers 22276 Nov 4 16:27 /usr/bin/rssh

  • agrd_sn Nov 19, 2010 @ 7:56

    i’ve found it.
    i add permission (x) for others to execute /usr/bin/rssh

    • Sanchit Jan 17, 2013 @ 17:36

      i am facing similar problem which you were facing ?how did you resolve it.
      Error: Connection closed by server with exitcode 128
      Error: Could not connect to server

  • Apu May 7, 2011 @ 14:25

    where do i can get the rssh package and what i have to do at /usr/bin/rssh file

  • Apu May 7, 2011 @ 14:28

    rssh package is available at

  • Shells Oct 10, 2011 @ 20:48

    If I try to connect over ssh, I get an immediate Connection Closed. On Filezilla, I get exitcode 1. Any ideas?

    • Shells Oct 10, 2011 @ 20:50

      Actually, to clarify: Over ssh, I get an “account restricted by ssh” message, allowed commands: scp sftp. And then a connection closed.

      • 🐧 nixCraft Oct 11, 2011 @ 14:45

        It means, shell access is not allowed. You can only upload or download files using sftp/scp client.

        • mro Dec 2, 2012 @ 0:29

          i also have this exitcode 1 issue.

          i can not connect successfully with sftp

          Command: open “USER@DOMAIN” 22
          Command: Pass: ********
          Status: Connected to DOMAIN
          Error: Connection closed by server with exitcode 1
          Error: Could not connect to server

          when i login via ssh i get this exitcode error and it disconnects

  • John Dec 1, 2011 @ 1:47

    Thanks, I was getting the connection closed error and adding the user to rsshusers worked!

    /usr/sbin/usermod -a -G rsshusers username

  • bharat Jun 22, 2012 @ 6:56

    Hi Vivek,

    I have created account by rssh and then applied chroot by your article:
    And also have allowscp & allowsftp flags un-commented.

    But then when I try to scp I get following error:
    unknown user 504
    Any idea?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum