How to: Configure User Account to Use a Restricted Shell ( rssh )

last updated in Categories Linux, Security, Sys admin, Tips, UNIX

Now rssh is installed. Next logical step is configure user to use rssh. All you have to do is set a user account shell to /usr/bin/rssh. The following examples adds user didi to system with /usr/bin/rssh.


Create a new user with /usr/bin/rssh

Login as the root user

Type the following command to create a new user called didi:
# useradd -m -d /home/didi -s /usr/bin/rssh didi
# passwd didi

Change existing user shell to /usr/bin/rssh

Use chsh command or usermod command to change user login shell:
# usermod -s /usr/bin/rssh old-user-name
# usermod -s /usr/bin/rssh vivek
# chsh -s /usr/bin/rssh vivek

Try login via ssh or sftp

Now try login via ssh or sftp using username didi:
$ sftp didi@my.backup.server.com
OR
$ ssh didi@my.backup.server.com
Output:

didi@my.backup.server.com's password: TYPE-THE-PASSWORD
Linux my.backup.server.com 2.6.22-14-generic #1 SMP Tue Dec 18 08:02:57 UTC 2007 i686

Last login: Thu Dec 27 16:35:04 2007 from localhost

This account is restricted by rssh.
This user is locked out.

If you believe this is in error, please contact your system administrator.

Connection to my.backup.server.com closed.

By default rssh configuration locks down everything including any sort of access.

Grant access to sftp and scp for all users

The default action for rssh to lock down everything. To grant access to scp or sftp open /etc/rssh.conf file:
# vi /etc/rssh.conf
Append or uncomment following two lines
allowscp
allowsftp

Save and close the file. rssh reads configuration file on fly (there is no rssh service exists). Now user should able to run scp and sftp commands, but no shell access is granted:
$ scp /path/to/file didi@my.backup.server.com:/.
OR
$ sftp didi@my.backup.server.com:/.
Output:

Connecting to lmy.backup.server.com...
didi@my.backup.server.com's password:
sftp> pwd
Remote working directory: /home/didi
sftp>

Understanding command configuration options

You need to add following keywords / directives to allow or disallow scp / sftp and other commands:

  • allowscp : Tells the shell that scp is allowed.
  • allowsftp : Tells the shell that sftp is allowed.
  • allowcvs : Tells the shell that cvs is allowed.
  • allowrdist : Tells the shell that rdist is allowed.
  • allowrsync : Tells the shell that rsync is allowed.

Tip: Create a group for rssh users, and limit executable access to the binaries to users in that group to improve security. Please use standard file permissions carefully and appropriately.

ADVERTISEMENTS

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

15 comment

  1. This article is a life saver. I am a freeBSD sysad but was forced to use centos! thanks man! im subscribing to your RSS Feeds!

  2. I want to transfer file to other machine using
    scp or sftp. How can I use the scp or sftp in my
    shell script so that the system takes the password for sftp automatically.

  3. Nice tutorial!

    I was just happy that I found what I needed, but it seems there’s somethig that I’m missing.

    I need user friendly interface to upload/dowload files (for my friends) and rsync (for me 🙂 ). So I uncommented “allowscp”, “allowsftp” and “allowrsync”. I tested ssh, scp and sftp in console and everythig worked as expected, but when I tried to connect with gFTP (I’m using Ubuntu Hardy) and selected SSH2 connection, I was available to browse the direcroties below my user’s home dir. In that case rssh is not really “restricted”. Is this some bug?

    gFTP connects to the remote host with “ssh -e none -l myusername 192.168.0.110 -s sftp”. When I type it in the console and enter the password, the cursor blinks on the next row until I press Ctrl+C. In the auth.log says:
    Connection from 192.168.0.130 port 36633
    Failed none for myusername from 192.168.0.130 port 36633 ssh2
    Accepted password for myusername from 192.168.0.130 port 36633 ssh2
    pam_unix(sshd:session): session opened for user myusername by (uid=0)
    subsystem request for sftp

    I’ll make a post in ubuntuforums.org, but tought it will be usefull for others if we find what’s the reason for this behaviour.

    I would preffer using rssh whithout chroot, so please help me solve this issue.

  4. i use filezilla and got this error:
    Error: Connection closed by server with exitcode 128
    Error: Could not connect to server
    how to resolv this problem?
    thx b4.

    cheers,
    agrd_sn

    1. Nope, you need to add the user account to the rsshusers group 🙂
      Steve.
      ls -la /usr/bin/rssh
      -rwxr-x— 1 root rsshusers 22276 Nov 4 16:27 /usr/bin/rssh

    1. i am facing similar problem which you were facing ?how did you resolve it.
      Error: Connection closed by server with exitcode 128
      Error: Could not connect to server

  5. If I try to connect over ssh, I get an immediate Connection Closed. On Filezilla, I get exitcode 1. Any ideas?

    1. Actually, to clarify: Over ssh, I get an “account restricted by ssh” message, allowed commands: scp sftp. And then a connection closed.

        1. i also have this exitcode 1 issue.

          i can not connect successfully with sftp

          Command: open “USER@DOMAIN” 22
          Command: Pass: ********
          Status: Connected to DOMAIN
          Error: Connection closed by server with exitcode 1
          Error: Could not connect to server

          when i login via ssh i get this exitcode error and it disconnects

  6. Thanks, I was getting the connection closed error and adding the user to rsshusers worked!

    /usr/sbin/usermod -a -G rsshusers username

    Have a question? Post it on our forum!