Here’s a neat little program to restrict server access of Linux user accounts to SCP and/or SFTP only. It is called rssh. What it does is, and I quote:
rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that.
So how I stumbled on rssh was one born out of desperation. One of the servers I am maintaining was having FTP issues. The 3rd party vendor’s script responsible for uploading some data to our client’s DB application (hosted on said server) suddenly started failing to write to the FTP folder for unknown reasons even though the FTP service configuration has been left untouched for over 2 years, and no recent updates were made to it.
I needed a quick solution because the client was getting angry on the failed uploads. I suggested they use SFTP for the meantime, while I found out what was causing the FTP issue. Of course this meant that I would have to allow SSH connections for their user account. I did not want them to be able to log on to a regular shell since they do not really need that. But how?
Google to the rescue!
As always, when one Googles, one gets answers. Lots! … Not. OK, I am sure there are more solutions but the 2 things that immediately caught my attention were rssh and scponly. I have tried scponly, but it seemed kinda clunky in its implementation. rssh looked better so I opted for this one.
How to use it?
- Install rssh from whatever package manager you have on your Linux. Or perhaps you can compile it from source.
- Open the rssh.conf file with your favorite text editor. Usually it is at /etc/rssh.conf. Yours may be different.
- By default, rssh is configured to block all users out completely. So depending on your requirements, uncomment the protocols like so:
- Again, open /etc/passwd with your favorite text editor. Find the user you want to use rssh with and instead of giving it bash as the shell put rssh. Below is an example. Replace USER with the actual username:
After doing the steps above you are all good to go. Try it out by opening a SCP or SFTP connection using a client like FileZilla.
Oh, there are a few caveats about rssh.
- By the looks of it, the author has not maintained this project for the last 2+ years. Last update was back in 27th November 2012 for v2.3.4. And it appears that was the last.
- Some versions of WinSCP may have some issues with rssh. Although in my tests I was able to connect fine on SFTP using said client. I’ll have to check this again just to be sure.
- Lastly, use this at your own risk. This is just a temporary solution for mine. Better to lock down your server such as chroot-ing users, white-listing IPs that can connect to your SSH port, etc. Better to be paranoid and redundant than to be sorry.
P.S. As it turned out, there was nothing wrong with our FTP server after all. The 3rd party server/network from where they were sending the data to us must have blocked off some ports on their side by accident. FTPS was configured to randomly use ports between 5000 to 5100. Their incoming port only allowed 5000.