Shell restriction
How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh
FTP is insecure protocol, but file-transfer is required all time. You can use OpenSSH Server to transfer file using SCP and SFTP (secure ftp) without setting up an FTP server. However, this feature also grants ssh shell access to a user. Basically OpenSSH requires a valid shell. Here is how sftp works:
SCP/SFTP -> SSHD -> Call sftpd subsystem -> Requires a shell -> User can login to server and run other commands.
In this article series we will help you provide secure restricted file-transfer services to your users without resorting to FTP. It also covers chroot jail setup instructions to lock down users to their own home directories (allow users to transfer files but not browse the entire Linux / UNIX file system of the server) as well as per user configurations.
rssh ~ a restricted shell
rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that.
Supported operations using rssh
Restricted shell only allows following operations only:
- scp - Secure file copy
- sftp - Secure FTP
- cvs - Concurrent Versions System ~ you can easily retrieve old versions to see exactly which change caused the bug
- rsync - Backup and sync file system
- rdist - Backup / RDist program maintains identical copies of files on multiple hosts.
Install rssh
CentOS / Fedora / RHEL Linux rssh installation
Visit Dag’s repo to grab rssh package
# cd /tmp
# wget http://dag.wieers.com/rpm/packages/rssh/rssh-2.3.2-1.2.el5.rf.i386.rpm
# rpm -ivh rssh-2.3.2-1.2.el5.rf.i386.rpm
Debian / Ubuntu Linux rssh installation
Use apt-get command:
$ sudo apt-get install rssh
FreeBSD installation
# cd /usr/ports/shells/rssh
# make install clean
Make sure you build binary with rsync support.
rssh configuration file
- Default configuration file is located at /etc/rssh.conf (FreeBSD - /usr/local/etc/rssh.conf)
- Default rssh binary location /usr/bin/rssh (FreeBSD - /usr/local/bin/rssh)
- Default port none - ( openssh 22 port used - rssh is shell with security features)
How to: Configure User Account to Use a Restricted Shell ( rssh )
Now rssh is installed. Next logical step is configure user to use rssh. All you have to do is set a user account shell to /usr/bin/rssh. The following examples adds user didi to system with /usr/bin/rssh.
Create a new user with /usr/bin/rssh
Login as the root user
Type the following command to create a new user called didi:
# useradd -m -d /home/didi -s /usr/bin/rssh didi
# passwd didi
Change existing user shell to /usr/bin/rssh
Use chsh command or usermod command to change user login shell:
# usermod -s /usr/bin/rssh old-user-name
# usermod -s /usr/bin/rssh vivek
# chsh -s /usr/bin/rssh vivek
Try login via ssh or sftp
Now try login via ssh or sftp using username didi:
$ sftp didi@my.backup.server.com
OR
$ ssh didi@my.backup.server.com
Output:
didi@my.backup.server.com's password: TYPE-THE-PASSWORD
Linux my.backup.server.com 2.6.22-14-generic #1 SMP Tue Dec 18 08:02:57 UTC 2007 i686
Last login: Thu Dec 27 16:35:04 2007 from localhost
This account is restricted by rssh.
This user is locked out.
If you believe this is in error, please contact your system administrator.
Connection to my.backup.server.com closed.
By default rssh configuration locks down everything including any sort of access.
Grant access to sftp and scp for all users
The default action for rssh to lock down everything. To grant access to scp or sftp open /etc/rssh.conf file:
# vi /etc/rssh.conf
Append or uncomment following two lines
allowscp
allowsftp
Save and close the file. rssh reads configuration file on fly (there is no rssh service exists). Now user should able to run scp and sftp commands, but no shell access is granted:
$ scp /path/to/file didi@my.backup.server.com:/.
OR
$ sftp didi@my.backup.server.com:/.
Output:
Connecting to lmy.backup.server.com... didi@my.backup.server.com's password: sftp> pwd Remote working directory: /home/didi sftp>
Understanding command configuration options
You need to add following keywords / directives to allow or disallow scp / sftp and other commands:
- allowscp : Tells the shell that scp is allowed.
- allowsftp : Tells the shell that sftp is allowed.
- allowcvs : Tells the shell that cvs is allowed.
- allowrdist : Tells the shell that rdist is allowed.
- allowrsync : Tells the shell that rsync is allowed.
Tip: Create a group for rssh users, and limit executable access to the binaries to users in that group to improve security. Please use standard file permissions carefully and appropriately.