Restrict a Linux User’s Access: Only Allowing SCP/SFTP, no SSH

The stan­dard tech­niques for restrict­ing a Lin­ux user account, does not allow for file trans­fers to/from the user’s home direc­to­ry. In my expe­ri­ence it is use­ful to have cer­tain account types which are only allowed to upload/download files from their home direc­to­ry; but not login and run shell com­mands.

This is easy to do with a shell called rssh (Restrict­ed Secure Shell); but you must first install it, because it does not typ­i­cal­ly come pack­aged with most dis­tri­b­u­tions of Lin­ux.

Installing RSSH

Locate the most appro­pri­ate pack­age for your dis­tri­b­u­tion of Lin­ux at the down­load site. Once you have locat­ed the RPM you will need do the fol­low­ing steps, sub­sti­tut­ing your cho­sen pack­age for the RPM.

[root@Internal ~]# <strong>wget http://packages.sw.be/rssh/rssh-2.3.2-1.1.el3.rf.x86_64.rpm</strong>
--2010-10-11 20:36:21--  http://packages.sw.be/rssh/rssh-2.3.2-1.1.el3.rf.x86_64.rpm
Resolving packages.sw.be... 85.13.226.40
Connecting to packages.sw.be|85.13.226.40|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://rpmforge.sw.be/redhat/el3/en/x86_64/rpmforge/RPMS/rssh-2.3.2-1.1.el3.rf.x86_64.rpm [following]
--2010-10-11 20:36:21--  http://rpmforge.sw.be/redhat/el3/en/x86_64/rpmforge/RPMS/rssh-2.3.2-1.1.el3.rf.x86_64.rpm
Resolving rpmforge.sw.be... 85.13.226.40
Reusing existing connection to packages.sw.be:80.
HTTP request sent, awaiting response... 200 OK
Length: 45053 (44K) [application/x-rpm]
Saving to: “rssh-2.3.2-1.1.el3.rf.x86_64.rpm”
100%[====================================================================================================================================================>] 45,053      94.6K/s   in 0.5s
 
2010-10-11 20:36:22 (94.6 KB/s) - “rssh-2.3.2-1.1.el3.rf.x86_64.rpm” saved [45053/45053]
 
[root@Internal ~]# rpm -ivh rssh-2.3.2-1.1.el3.rf.x86_64.rpm
warning: rssh-2.3.2-1.1.el3.rf.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing...                ########################################### [100%]
1:rssh                   ########################################### [100%]

Updating Access Permissions

Now you should be able to set a user’s login shell to RSSH. Here is what the orig­i­nal line will usu­al­ly look like.

joe:x:501:501::/home/joe:/bin/bash

This is what the updat­ed line will look like.

joe:x:501:501::/home/joe:/usr/bin/rssh

What Happens if the User Attempts to SSH in After Access is Restricted

Now if joe attempts to login via SSH, the fol­low­ing will occur:

[root@Internal ~]# ssh joe@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is b5:39:02:23:01:a5:ff:b9:c1:aa:01:a9:69:21:a4:e0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
joe@localhost's password: 
 
This account is restricted by rssh.
This user is locked out.
 
If you believe this is in error, please contact your system administrator.
 
Connection to localhost closed.