How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh

last updated in Categories Howto, Linux, RedHat/Fedora Linux, Security, Sys admin, Tips, UNIX

FTP is insecure protocol, but file-transfer is required all time. You can use OpenSSH Server to transfer file using SCP and SFTP (secure ftp) without setting up an FTP server. However, this feature also grants ssh shell access to a user. Basically OpenSSH requires a valid shell. Here is how sftp works:


SCP/SFTP -> SSHD -> Call sftpd subsystem -> Requires a shell -> User can login to server and run other commands.

In this article series we will help you provide secure restricted file-transfer services to your users without resorting to FTP. It also covers chroot jail setup instructions to lock down users to their own home directories (allow users to transfer files but not browse the entire Linux / UNIX file system of the server) as well as per user configurations.

rssh ~ a restricted shell

rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that.

Supported operations using rssh

Restricted shell only allows following operations only:

  • scp – Secure file copy
  • sftp – Secure FTP
  • cvs – Concurrent Versions System ~ you can easily retrieve old versions to see exactly which change caused the bug
  • rsync – Backup and sync file system
  • rdist – Backup / RDist program maintains identical copies of files on multiple hosts.

Install rssh

CentOS / Fedora / RHEL Linux rssh installation

Visit Dag’s repo to grab rssh package
# cd /tmp
# wget
# rpm -ivh rssh-2.3.2-1.2.el5.rf.i386.rpm

Debian / Ubuntu Linux rssh installation

Use apt-get command:
$ sudo apt-get install rssh

FreeBSD installation

# cd /usr/ports/shells/rssh
# make install clean

Make sure you build binary with rsync support.

rssh configuration file

  • Default configuration file is located at /etc/rssh.conf (FreeBSD – /usr/local/etc/rssh.conf)
  • Default rssh binary location /usr/bin/rssh (FreeBSD – /usr/local/bin/rssh)
  • Default port none – ( openssh 22 port used – rssh is shell with security features)


Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

25 comment

  1. As a note, rssh is available in Mandriva Contribs (for 2008 and Cooker at least). So ‘urpmi rssh’ should work fine.

  2. The developer of rssh quit the development of rssh two years ago. I wouldn’t recommend to use rssh since security issues won’t be fixed. Better use scponly…

  3. Hi Vivic,

    Thank a lot, I a have installed the SFTP server using the above procedure. Now i want that users can login using there public and private key pairs instead of passwords.Is it possible? can any one help me please. Thanks.

  4. Hi, thanks for the article. It helped a lot.

    But I have a requirement to allow internal transmissions using FTP and using the same account. After I setup RSSH and change the shell on an SFTP/FTP account to RSSH, the user can no longer access the server via SSH, but only allows SFTP. But it also rejects FTP access. Is there a way around this…?

    1. I didn’t tried it yet, but, as I understand it, you can use rssh if you want to restrict the user access to SFTP, SCP, rsync and a few other services. If you want to allow the user to use SSH, FTP and more, there is no reason to use rssh for that user.

  5. hi ,when i try to ssh i got a message “This account is restricted by rssh.
    This user is locked out.If you believe this is in error, please contact your system administrator.” how do i changeit ?
    thank you

  6. Vivek:
    I do not want the users to land on their respective user home directory for example, /users/vivek, instead I want them to land only on /users/vivek/data and not even be able to jump to /users/vivek. Where should we make the change, in the etc/passwd file?

  7. Hi,
    I hope someone can answer my question about scp and sftp in openSUSE 11.3. I tried to use internal sftpd and it was working ok but you cannot do scp with internal sftpd. Of course i also want to chroot users in jail which internal sftpd allows you to do but you cannot scp. Are there any instructions how to do it or some of you know how it is done

  8. I had a great deal of trouble getting this to work on RHEL 5.6 i386 until I discovered there was a permissions problem with several directories.

    1. yum install rssh-2.3.2-1.2.el5.rf.i386.rpm and consider version locking, later versions seem broken
    2. /etc/rssh.conf – uncomment #allowscp and #allowsftp and set the chrootpath =
    3. chmod o+x the chrootpath
    4. cd chrootpath
    5. mkdir dev etc lib usr
    6. chmod 755 *
    7. mknod -m 666 //dev/null c 1 3
    8. cp /etc/group /etc/passwd /etc/ /etc/ /etc/ /etc/nsswitch.conf to //etc
    9. cp the /lib ldd results to //lib
    A. cd chrootpath/usr
    B. mkdir lib libexec
    C. chmod o+x *
    D. cp the /usr/lib ldd results to //usr/lib
    E. cp rssh_chroot_helper to //usr/libexec
    F. chmod 655 rssh_chroot_helper
    G. mkdir openssh
    H. cp sftp-server //usr/libexec/openssh
    I. chmod 755 sftp-server

    Persistently the problems I ran into were (a) not copying /etc/group and /etc/passwd or leaving them empty.. they need at a minimum entries for root and the users that will sftp into the chrootpath (b) not realizing the importance of the o+x on the chrootpath and the directories holding the rssh_chroot_helper and sftp-server

    I finally stumbled upon the issue by temporarily chmod -R 777 across the entire chrootpath on a test box and working the problem backwards once it was working, removing unnecessary things and permissions.

    The debugging built into sshd and rssh were not very helpful, straces of the rssh shell and sftp-server were equally not useful in debugging the problem. The results of the straces seemed to indicate there were no problems accessing all files.

    I suspect the logging would have been more helpful with a “full” duplicate of the operating system in the chroot instead of a minimal system, with the minimal resources the debug logging did not occur after chroot took place.

  9. addendum

    the Tips above include a “chrootpath” between the “double” slashes “//” but the comment posting system interpreted those due to html tag brackets as html and removed the “left angel bracket” chrootpath “right angle bracket”

    just thought I’d mention the “double” slashes were important to intepreting the Tips

  10. When using (CentOS 6.2 x64 – using prebuilt RPMS from repoforge), all appears well, except when runing (rsync), it fails with an “insecure -e option not allowed” message on the client and:

    Mar 13 13:57:47 dco-rsync1 rssh[2307]: setting log facility to LOG_USER
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: setting umask to 022
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: chrooting all users to /var/chroot
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: line 30: configuring user cxo
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: setting cxo’s umask to 011
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: allowing rsync to user cxo
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: chrooting cxo to /var/chroot/home/cxo
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: insecure -e option in rdist command line!
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: user cxo attempted to execute forbidden commands
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: command: rsync –server –sender -de.s –list-only .

    rsync command looks “wierd” and the notion of “rdist” shouldn’t be. Thoughts?

    1. i dont think so, because scponly does not include shell support.. but this is a guess, a lot of scponly intentions also require shell support in the change root jail.. unless scponly has included a minimal set of shell commands it will always be better to use rssh.. that is why its still pursued as a proper solution.. no guessing involved, it is the same as having a full service scp and shell support

    Have a question? Post it on our forum!