Now rssh is installed. Next logical step is configure user to use rssh. All you have to do is set a user account shell to /usr/bin/rssh. The following examples adds user didi to system with /usr/bin/rssh.
Create a new user with /usr/bin/rssh
Login as the root user
Type the following command to create a new user called didi:
# useradd -m -d /home/didi -s /usr/bin/rssh didi
# passwd didi
Change existing user shell to /usr/bin/rssh
Use chsh command or usermod command to change user login shell:
# usermod -s /usr/bin/rssh old-user-name
# usermod -s /usr/bin/rssh vivek
# chsh -s /usr/bin/rssh vivek
Try login via ssh or sftp
Now try login via ssh or sftp using username didi:
$ sftp [email protected]
OR
$ ssh [email protected]
Output:
[email protected]'s password: TYPE-THE-PASSWORD Linux my.backup.server.com 2.6.22-14-generic #1 SMP Tue Dec 18 08:02:57 UTC 2007 i686 Last login: Thu Dec 27 16:35:04 2007 from localhost This account is restricted by rssh. This user is locked out. If you believe this is in error, please contact your system administrator. Connection to my.backup.server.com closed.
By default rssh configuration locks down everything including any sort of access.
Grant access to sftp and scp for all users
The default action for rssh to lock down everything. To grant access to scp or sftp open /etc/rssh.conf file:
# vi /etc/rssh.conf
Append or uncomment following two lines
allowscp
allowsftp
Save and close the file. rssh reads configuration file on fly (there is no rssh service exists). Now user should able to run scp and sftp commands, but no shell access is granted:
$ scp /path/to/file [email protected]:/.
OR
$ sftp [email protected]:/.
Output:
Connecting to lmy.backup.server.com... [email protected]'s password: sftp> pwd Remote working directory: /home/didi sftp>
Understanding command configuration options
You need to add following keywords / directives to allow or disallow scp / sftp and other commands:
- allowscp : Tells the shell that scp is allowed.
- allowsftp : Tells the shell that sftp is allowed.
- allowcvs : Tells the shell that cvs is allowed.
- allowrdist : Tells the shell that rdist is allowed.
- allowrsync : Tells the shell that rsync is allowed.
Tip: Create a group for rssh users, and limit executable access to the binaries to users in that group to improve security. Please use standard file permissions carefully and appropriately.