You’ve set up a server and your users are happily transferring files with apps like Filezilla or Cyberduck. You know that plain FTP is not secure, so you’re requiring secure FTP (SFTP). Very nice so far – no FTP server required.

Only problem is, your users also have SSH access, and that creates a potential security vulnerability. Their accounts could be used (or exploited) to run commands, when all you want to allow them is uploading and downloading files. One way to prevent such misuse is RSSH, a restricted form of SSH that limits users to a few commands like sftp, and rsync.

Installing RSSH

Install rssh:

sudo apt-get install rssh

Edit /etc/rssh.conf, and uncomment the commands you want to allow (by default, users are locked out completely):

allowscp
allowsftp
allowrsync

Configuring User Shells and Access

Our RSSH users can’t do anything without user accounts, plus logon permissions through the same OpenSSH server used for normal remote logons. For the user accounts, we’re going to make the OpenSSH configuration easier by assigning users to one of two groups: the ssh group will have full login access with the default shell (bash); the rssh group will run the RSSH shell. We’ll start by creating the latter group:

sudo groupadd rssh

The ssh group should already exist if you’re running Ubuntu Linux. If not:

sudo groupadd ssh

Add users to these groups with your favorite user management tool. For example, to add the user John Smith with login jsmith to the rssh group, the command is sudo usermod -G rssh -a jsmith. (Don’t forget to also add yourself as an unrestricted user, with sudo usermod -G ssh your_user_name.) You should then see two entries for jsmith in the /etc/group file: one was created for his original login, the other for his membership in the rssh group. As you add other users to the rssh group, you’ll see them appended to this line, with commas.

jsmith:x:1001:
rssh:x:1002:jsmith

Now restrict each of the users to the RSSH shell by running: sudo usermod -s /usr/bin/rssh username, replacing username with their login. The last field in the /etc/passwd file should reflect this change:

jsmith:x:1001:1001:John Smith,,,:/home/jsmith:/usr/bin/rssh

Configure your SSH server (OpenSSH) to allows logins from only these groups. Edit /etc/ssh/sshd_config and add an AllowGroups line:

# Comment out any AllowUsers line, because it will override AllowGroups
# AllowUsers jsmith
AllowGroups ssh rssh

Be careful when editing sshd_config on a remote server. A single typo could lock you out, even though you still have a valid password. I recommend you test locally first, and check for conflicting AllowUsers directives before deploying elsewhere. Make sure you have a backdoor way to access your server if you misconfigure OpenSSH.

Restart the ssh server, and you can begin testing, using either /etc/init.d/ssh restart or sudo service ssh restart.

Test by logging in as each type of user. When someone assigned to the rssh group logs in, a message informs him about the restriction:

This account is restricted by rssh.
Allowed commands: scp sftp rsync 

Creating Jails and Dropboxes

The configuration so far limits what commands the rssh users can run. However, it doesn’t restrict their ability to view files throughout the filesystem. For example, try connecting with an FTP client, and you’ll see that rssh users still have the ability to transfer files from any directory to which they have read permissions.

Take a moment to look at the other configuration options and examples in /etc/rssh.conf. If you want to chroot individual users or permit them only a subset of commands, this is one place to do it. Be forewarned that a chroot environment involves more expertise than our simple setup.

A better place to enforce a chroot environment may be the OpenSSH configuration, as in this blog article. Say you want users to be able to download and share files, similar to a commercial service like Dropbox. You could create a common chroot for everone, like /usr/local/dropbox. Then create individual user directories within it, such as /usr/local/dropbox/home/jsmith. Set permissions to ensure whatever privacy you need, and you have a pretty secure place to store and exchange files.

Resources