Restricted Shells: rssh and scponly

  • Post author:
  • Post category:General
You are currently viewing Restricted Shells: rssh and scponly

Rssh and scponly are two of the most important shell commands used by sysadmins and they limit the operations for a Linux user. This tool can create a particular user who is only allowed to copy files via scp and hence won’t be permitted to log into the system’s command line.

If you possess online storage that is used for uploading backup data over scp from remote hosts then it is highly recommended to use restricted shells for those incoming connections. It makes sure that even if the attacker has got the key (username/password), he /she won’t be able to break into the system.

Scponly is an extremely simple restricted shell. Here the user account that has scponly binary as its shell won’t be able to do anything except transfer data from remote host via scp protocol or via rsync/scp. Rssh comes with more features and it includes limiting users to use selected protocols like scp, sftp, rsync, cvs or rdist either in chroot environment or not.

Installation

  • – – – – – – – – – – – –

For the installation of software like rssh or scponly, try one of the below commands depending on your needs:

Ubuntu machine:

apt-get install rssh

apt-get install scponly

CentOS machine:

yum install rssh

yum install scponly

Another method of installation is from source and do. /configure, make and make install.

Configuration

– – – – – – – – – – – – 

scponly doesn’t need any configuration, you just need to set it as a shell for user account. Here are some examples.

Create new user account with scponly as shell:

useradd -s /usr/sbin/scponly dimenoc1

Modify user account to set rssh as a shell:

usermod -s /usr/sbin/rssh dimenoc2

Where /usr/sbin/scponly is binary executable of scponly and /usr/sbin/rssh is binary executable of rssh

rssh comes with text configuration file usually stored under /etc/rssh.conf. Configuration of rssh can be setup either per-user or configure global restrictions for all accounts which are using rssh. By default rssh.conf file is well commented so there shouldn’t be any problems to configure rssh as per the needs.

Uncomment the following lines in rssh.conf file for restricting all users and to do scp and rsync operations only.

allowscp

#allowsftp

#allowcvs

#allowrdist

allowrsync

Now coming to per-user examples. A particular user is allowed to use scp protocol only and the following line in rssh.conf can do that:

user=sbk:022:00001:

User is allowed to scp, rsync only:

user=sbk:022:10001:

To enable protocols in per-user setup is specified as 11000 (scp, sftp), 11111 (scp, sftp, cvs, rdist, rsync) or 00000 (no protocols enabled). 022 in above examples specify umask.

Conclusion

We hope that these commands and configurations would help you to restrict a particular user in doing restricted shell operations. No doubt, this is an important security feature that should be considered by every sysadmin to prevent unauthorized activity by users.

Leave a Reply