≡ Menu

How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh

FTP is insecure protocol, but file-transfer is required all time. You can use OpenSSH Server to transfer file using SCP and SFTP (secure ftp) without setting up an FTP server. However, this feature also grants ssh shell access to a user. Basically OpenSSH requires a valid shell. Here is how sftp works:

SCP/SFTP -> SSHD -> Call sftpd subsystem -> Requires a shell -> User can login to server and run other commands.

In this article series we will help you provide secure restricted file-transfer services to your users without resorting to FTP. It also covers chroot jail setup instructions to lock down users to their own home directories (allow users to transfer files but not browse the entire Linux / UNIX file system of the server) as well as per user configurations.

rssh ~ a restricted shell

rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that.

Supported operations using rssh

Restricted shell only allows following operations only:

  • scp – Secure file copy
  • sftp – Secure FTP
  • cvs – Concurrent Versions System ~ you can easily retrieve old versions to see exactly which change caused the bug
  • rsync – Backup and sync file system
  • rdist – Backup / RDist program maintains identical copies of files on multiple hosts.

Install rssh

CentOS / Fedora / RHEL Linux rssh installation

Visit Dag’s repo to grab rssh package
# cd /tmp
# wget http://dag.wieers.com/rpm/packages/rssh/rssh-2.3.2-1.2.el5.rf.i386.rpm
# rpm -ivh rssh-2.3.2-1.2.el5.rf.i386.rpm

Debian / Ubuntu Linux rssh installation

Use apt-get command:
$ sudo apt-get install rssh

FreeBSD installation

# cd /usr/ports/shells/rssh
# make install clean

Make sure you build binary with rsync support.

rssh configuration file

  • Default configuration file is located at /etc/rssh.conf (FreeBSD – /usr/local/etc/rssh.conf)
  • Default rssh binary location /usr/bin/rssh (FreeBSD – /usr/local/bin/rssh)
  • Default port none – ( openssh 22 port used – rssh is shell with security features)
Share this on:

Your support makes a big difference:
I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft, takes a lot of my time and hard work to produce. If you use nixCraft, who likes it, helps me with donations:
Become a Supporter →    Make a contribution via Paypal/Bitcoin →   

Don't Miss Any Linux and Unix Tips

Get nixCraft in your inbox. It's free:

{ 25 comments… add one }
  • john January 2, 2008, 8:45 pm

    How about a suse procedure?

  • nixCraft January 2, 2008, 8:58 pm


    The procedure is same for Suse Linux, just download and install rpm file

  • J.P. Pasnak January 2, 2008, 9:52 pm

    As a note, rssh is available in Mandriva Contribs (for 2008 and Cooker at least). So ‘urpmi rssh’ should work fine.

  • Christoph Langner January 4, 2008, 12:19 am

    The developer of rssh quit the development of rssh two years ago. I wouldn’t recommend to use rssh since security issues won’t be fixed. Better use scponly…

  • FreeMa January 22, 2008, 3:22 pm

    For those using Ubuntu (tested on Gutsy 7.10), I suggest that you follow these instructions:



  • khurram June 25, 2008, 4:53 pm

    Hi Vivic,

    Thank a lot, I a have installed the SFTP server using the above procedure. Now i want that users can login using there public and private key pairs instead of passwords.Is it possible? can any one help me please. Thanks.

  • Webagentur November 5, 2008, 3:28 pm

    Why install this rssh?

  • Girish April 29, 2009, 3:59 pm

    This is awesome! Thank you for posting this.


  • speller April 30, 2009, 12:32 am

    Not sure what to download for Suse Enterprise?

  • Hans Ruedi August 16, 2009, 9:55 am

    I’ve chrooted my SSH with this patch. Works perfect for me. Maybe check that page for other OpenSSH versions.

  • jigs October 15, 2009, 12:17 am

    Hi, thanks for the article. It helped a lot.

    But I have a requirement to allow internal transmissions using FTP and using the same account. After I setup RSSH and change the shell on an SFTP/FTP account to RSSH, the user can no longer access the server via SSH, but only allows SFTP. But it also rejects FTP access. Is there a way around this…?

    • Bbp June 2, 2010, 12:18 am

      I didn’t tried it yet, but, as I understand it, you can use rssh if you want to restrict the user access to SFTP, SCP, rsync and a few other services. If you want to allow the user to use SSH, FTP and more, there is no reason to use rssh for that user.

    • Anonymous June 9, 2010, 5:01 pm

      add it into /etc/shells

      • ordenador October 9, 2014, 2:48 pm

        thank u, add into /etc/shells, work for FTP!!

  • jeantoe February 25, 2010, 3:10 pm

    hi ,when i try to ssh i got a message “This account is restricted by rssh.
    This user is locked out.If you believe this is in error, please contact your system administrator.” how do i changeit ?
    thank you

    • Jay June 14, 2011, 4:26 pm

      Look at the title of the article and then go away.

  • Venkatesh August 12, 2010, 12:47 am

    I do not want the users to land on their respective user home directory for example, /users/vivek, instead I want them to land only on /users/vivek/data and not even be able to jump to /users/vivek. Where should we make the change, in the etc/passwd file?

  • paul March 2, 2011, 6:05 am

    Does RSSH allow SSH tunnels?

  • radiant_exitence March 17, 2011, 1:06 am

    I hope someone can answer my question about scp and sftp in openSUSE 11.3. I tried to use internal sftpd and it was working ok but you cannot do scp with internal sftpd. Of course i also want to chroot users in jail which internal sftpd allows you to do but you cannot scp. Are there any instructions how to do it or some of you know how it is done

  • John Willis March 31, 2011, 7:09 am

    I had a great deal of trouble getting this to work on RHEL 5.6 i386 until I discovered there was a permissions problem with several directories.

    1. yum install rssh-2.3.2-1.2.el5.rf.i386.rpm and consider version locking, later versions seem broken
    2. /etc/rssh.conf – uncomment #allowscp and #allowsftp and set the chrootpath =
    3. chmod o+x the chrootpath
    4. cd chrootpath
    5. mkdir dev etc lib usr
    6. chmod 755 *
    7. mknod -m 666 //dev/null c 1 3
    8. cp /etc/group /etc/passwd /etc/ld.so.cache /etc/ld.so.conf /etc/ld.so.conf.d /etc/nsswitch.conf to //etc
    9. cp the /lib ldd results to //lib
    A. cd chrootpath/usr
    B. mkdir lib libexec
    C. chmod o+x *
    D. cp the /usr/lib ldd results to //usr/lib
    E. cp rssh_chroot_helper to //usr/libexec
    F. chmod 655 rssh_chroot_helper
    G. mkdir openssh
    H. cp sftp-server //usr/libexec/openssh
    I. chmod 755 sftp-server

    Persistently the problems I ran into were (a) not copying /etc/group and /etc/passwd or leaving them empty.. they need at a minimum entries for root and the users that will sftp into the chrootpath (b) not realizing the importance of the o+x on the chrootpath and the directories holding the rssh_chroot_helper and sftp-server

    I finally stumbled upon the issue by temporarily chmod -R 777 across the entire chrootpath on a test box and working the problem backwards once it was working, removing unnecessary things and permissions.

    The debugging built into sshd and rssh were not very helpful, straces of the rssh shell and sftp-server were equally not useful in debugging the problem. The results of the straces seemed to indicate there were no problems accessing all files.

    I suspect the logging would have been more helpful with a “full” duplicate of the operating system in the chroot instead of a minimal system, with the minimal resources the debug logging did not occur after chroot took place.

  • John Willis March 31, 2011, 7:13 am


    the Tips above include a “chrootpath” between the “double” slashes “//” but the comment posting system interpreted those due to html tag brackets as html and removed the “left angel bracket” chrootpath “right angle bracket”

    just thought I’d mention the “double” slashes were important to intepreting the Tips

  • CXO March 13, 2012, 6:01 pm

    When using (CentOS 6.2 x64 – using prebuilt RPMS from repoforge), all appears well, except when runing (rsync), it fails with an “insecure -e option not allowed” message on the client and:

    Mar 13 13:57:47 dco-rsync1 rssh[2307]: setting log facility to LOG_USER
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: setting umask to 022
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: chrooting all users to /var/chroot
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: line 30: configuring user cxo
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: setting cxo’s umask to 011
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: allowing rsync to user cxo
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: chrooting cxo to /var/chroot/home/cxo
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: insecure -e option in rdist command line!
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: user cxo attempted to execute forbidden commands
    Mar 13 13:57:47 dco-rsync1 rssh[2307]: command: rsync –server –sender -de.s –list-only .

    rsync command looks “wierd” and the notion of “rdist” shouldn’t be. Thoughts?

    • CXO March 13, 2012, 6:27 pm

      Apparently “–protocol=29” on client side fixes this. Brings me to next hurdle…

  • Siddharth R April 8, 2013, 9:33 pm

    Can we do rsync with scponly shell for the account not /bin/bash ?

    • john willis November 16, 2013, 1:10 pm

      i dont think so, because scponly does not include shell support.. but this is a guess, a lot of scponly intentions also require shell support in the change root jail.. unless scponly has included a minimal set of shell commands it will always be better to use rssh.. that is why its still pursued as a proper solution.. no guessing involved, it is the same as having a full service scp and shell support

Security: Are you a robot or human?

Leave a Comment

   Tagged with: , , , , , , , , , , , , , , , , , ,