Limiting ssh user to SFTP using restricted shell

This is a follow up to the recent article about restricting ssh login to sftp. Back then I showed you how to restrict an ssh user who can login into a system by configuring openssh to prevent user logins of users associated with a specific group.

To do things differently I will show you an alternative and in my personal opinion easier way of restricting a ssh user to sftp. rSSH is a restricted shell that can be used with OpenSSH to only allow sftp and scp. It also includes support for rsync, rdist and cvs. This enables the creation of shell users without providing them full login access to the server except for transferring files.

First, make sure that the rssh package is installed (can be found in the usual repository). Since Debian is still my favourite distro I use aptitude. Use the equivalent on yours (yum, zypper etc.)

# aptitude install rssh
The following NEW packages will be installed: rssh
0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 65.8 kB of archives. After unpacking 185 kB will be used.
Get: 1 http://mirror.switch.ch/ftp/mirror/debian/ wheezy/main rssh amd64 2.3.3-6 [65.8 kB]
Fetched 65.8 kB in 0s (752 kB/s)
Preconfiguring packages ...
Selecting previously unselected package rssh.
(Reading database ... 137643 files and directories currently installed.)
Unpacking rssh (from .../rssh_2.3.3-6_amd64.deb) ...
Processing triggers for man-db ...
Setting up rssh (2.3.3-6) ...

In order to restrict a user to SFTP the rssh shell needs to be configured as the login shell for the user. The following example adds a new user bubu to the system with the shell set to /usr/bin/rssh

# useradd -m -d /home/bubu -s /usr/bin/rssh bubu
# passwd bubu

To change the shell of an existing shell use either usermod or the chsh command. Whichever you prefer.

# usermod -s /usr/bin/rssh <old-user-name>
# usermod -s /usr/bin/rssh chris2

# chsh -s /usr/bin/rssh chris2

Afterwards, if you try logging in via ssh or sftp you will receive a similar response to this since by default rssh locks down the system completely leaving the user without any sort of access.

$ sftp bubu@server.pretendco.com

$ ssh bubub@server.pretendco.com

Response:

bubu@server.pretendco.com's password: TYPE-THE-PASSWORD
Linux bubu@server.pretendco.com 3.13-0.bpo.1-amd64 #1 SMP Debian 3.13.10-1~bpo70+1 (2014-04-23) x86_64 GNU/Linux
Last login: Sun Nov 16 07:03:04 2014 from localhost
This account is restricted by rssh.
This user is locked out.
If you believe this is in error, please contact your system administrator.
Connection to server.pretendco.com closed.

The default action for rssh is to lock down any access. To adjust the default setting edit the rssh.conf file. Append or uncomment the following two lines: allowscp, allowsftp:

# vi /etc/rssh.conf  

...

# Leave these all commented out to make the default action for rssh to lock
# users out completely...

allowscp
allowsftp
#allowcvs
#allowrdist
#allowrsync
#allowsvnserve

...

The user should be able to login into the system now:

$ sftp bubu@server.pretendco.com
Connecting to server.pretendco.com...
ubu@server.pretendco.com's password:
sftp> pwd
Remote working directory: /home/bubu
sftp>

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.