Restrict a Linux User’s Access: Only Allowing SCP/SFTP, no SSH

The standard techniques for restricting a Linux user account, does not allow for file transfers to/from the user’s home directory. In my experience it is useful to have certain account types which are only allowed to upload/download files from their home directory; but not login and run shell commands.

This is easy to do with a shell called rssh (Restricted Secure Shell); but you must first install it, because it does not typically come packaged with most distributions of Linux.

Installing RSSH

Locate the most appropriate package for your distribution of Linux at the download site. Once you have located the RPM you will need do the following steps, substituting your chosen package for the RPM.

[root@Internal ~]# wget http://packages.sw.be/rssh/rssh-2.3.2-1.1.el3.rf.x86_64.rpm
--2010-10-11 20:36:21--  http://packages.sw.be/rssh/rssh-2.3.2-1.1.el3.rf.x86_64.rpm
Resolving packages.sw.be... 85.13.226.40
Connecting to packages.sw.be|85.13.226.40|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://rpmforge.sw.be/redhat/el3/en/x86_64/rpmforge/RPMS/rssh-2.3.2-1.1.el3.rf.x86_64.rpm [following]
--2010-10-11 20:36:21--  http://rpmforge.sw.be/redhat/el3/en/x86_64/rpmforge/RPMS/rssh-2.3.2-1.1.el3.rf.x86_64.rpm
Resolving rpmforge.sw.be... 85.13.226.40
Reusing existing connection to packages.sw.be:80.
HTTP request sent, awaiting response... 200 OK
Length: 45053 (44K) [application/x-rpm]
Saving to: “rssh-2.3.2-1.1.el3.rf.x86_64.rpm”
100%[====================================================================================================================================================>] 45,053      94.6K/s   in 0.5s

2010-10-11 20:36:22 (94.6 KB/s) - “rssh-2.3.2-1.1.el3.rf.x86_64.rpm” saved [45053/45053]

[root@Internal ~]# rpm -ivh rssh-2.3.2-1.1.el3.rf.x86_64.rpm
warning: rssh-2.3.2-1.1.el3.rf.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing...                ########################################### [100%]
1:rssh                   ########################################### [100%]

Updating Access Permissions

Now you should be able to set a user’s login shell to RSSH. Here is what the original line will usually look like.

joe:x:501:501::/home/joe:/bin/bash

This is what the updated line will look like.

joe:x:501:501::/home/joe:/usr/bin/rssh

What Happens if the User Attempts to SSH in After Access is Restricted

Now if joe attempts to login via SSH, the following will occur:

[root@Internal ~]# ssh joe@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is b5:39:02:23:01:a5:ff:b9:c1:aa:01:a9:69:21:a4:e0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
joe@localhost's password: 

This account is restricted by rssh.
This user is locked out.

If you believe this is in error, please contact your system administrator.

Connection to localhost closed.

Leave a comment

Your email address will not be published. Required fields are marked *