Skip to content

nixCraft

Linux Tips, Hacks, Tutorials, And Ideas In Blog Format

  • About
  • Howtos and tutorials
  • Linux Shell Scripting Tutorial
  • RSS/FEED
  • DONATIONS
  • Search

nixCraft

Linux Tips, Hacks, Tutorials, And Ideas In Blog Format

nixCraft

Tag: rssh conf

How to: Configure User Account to Use a Restricted Shell ( rssh )

last updated November 27, 2007 in Categories Linux, Security, Sys admin, Tips, UNIX

Now rssh is installed. Next logical step is configure user to use rssh. All you have to do is set a user account shell to /usr/bin/rssh. The following examples adds user didi to system with /usr/bin/rssh.

Create a new user with /usr/bin/rssh

Login as the root user

Type the following command to create a new user called didi:
# useradd -m -d /home/didi -s /usr/bin/rssh didi
# passwd didi

Change existing user shell to /usr/bin/rssh

Use chsh command or usermod command to change user login shell:
# usermod -s /usr/bin/rssh old-user-name
# usermod -s /usr/bin/rssh vivek
# chsh -s /usr/bin/rssh vivek

Try login via ssh or sftp

Now try login via ssh or sftp using username didi:
$ sftp didi@my.backup.server.com
OR
$ ssh didi@my.backup.server.com
Output:

didi@my.backup.server.com's password: TYPE-THE-PASSWORD
Linux my.backup.server.com 2.6.22-14-generic #1 SMP Tue Dec 18 08:02:57 UTC 2007 i686

Last login: Thu Dec 27 16:35:04 2007 from localhost

This account is restricted by rssh.
This user is locked out.

If you believe this is in error, please contact your system administrator.

Connection to my.backup.server.com closed.

By default rssh configuration locks down everything including any sort of access.

Grant access to sftp and scp for all users

The default action for rssh to lock down everything. To grant access to scp or sftp open /etc/rssh.conf file:
# vi /etc/rssh.conf
Append or uncomment following two lines
allowscp
allowsftp

Save and close the file. rssh reads configuration file on fly (there is no rssh service exists). Now user should able to run scp and sftp commands, but no shell access is granted:
$ scp /path/to/file didi@my.backup.server.com:/.
OR
$ sftp didi@my.backup.server.com:/.
Output:

Connecting to lmy.backup.server.com...
didi@my.backup.server.com's password:
sftp> pwd
Remote working directory: /home/didi
sftp>

Understanding command configuration options

You need to add following keywords / directives to allow or disallow scp / sftp and other commands:

  • allowscp : Tells the shell that scp is allowed.
  • allowsftp : Tells the shell that sftp is allowed.
  • allowcvs : Tells the shell that cvs is allowed.
  • allowrdist : Tells the shell that rdist is allowed.
  • allowrsync : Tells the shell that rsync is allowed.

Tip: Create a group for rssh users, and limit executable access to the binaries to users in that group to improve security. Please use standard file permissions carefully and appropriately.

15 Comments

Cool Linux penguin shirt

Featured Articles

  • 1
    30 Cool Open Source Software I Discovered in 2013
  • 2
    30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
  • 3
    Top 32 Nmap Command Examples For Linux Sys/Network Admins
  • 4
    25 PHP Security Best Practices For Linux Sys Admins
  • 5
    30 Linux System Monitoring Tools Every SysAdmin Should Know
  • 6
    40 Linux Server Hardening Security Tips
  • 7
    Linux: 25 Iptables Netfilter Firewall Examples For New SysAdmins
  • 8
    Top 20 OpenSSH Server Best Security Practices
  • 9
    Top 25 Nginx Web Server Best Security Practices
  • 10
    My 10 UNIX Command Line Mistakes

Sign up for my newsletter

Sign up for my newsletter



RSS Recently updated

  • Debian Linux 9.8 released and here is how to upgrade it
  • How to ping and test for a specific port from Linux or Unix command line
  • How to find a folder in Linux using the command line
  • Debian Linux 9.7 released and here is how to upgrade it
  • Ubuntu Enable & Set up Automatic Unattended Security Updates
  • Linux hide processes from other users and ps command
  • Understanding Bash fork() Bomb :(){ :|:& };: code
  • vim-plug: A beautiful and minimalist vim plugin manager for Linux/Unix users
  • Linux / UNIX: Bash Script Sleep or Delay a Specified Amount of Time
  • KSH redirect stdout and stderr to a file on Linux or Unix

Corporate Patron

  • Linode
  • Cloudflare
  • Prospect One
nixCraft @2000-2019 nixCraft. All rights reserved.
  • PRIVACY
  • TERM OF SERVICE
  • CONTACT/EMAIL
  • DONATIONS
  • Search