Introduction

When managing a Linux server, providing restricted access to users for file transfers without granting full shell access is a common security concern. Two tools that help achieve this are rssh and scponly. These restricted shells allow users to perform specific file transfer operations via SCP, SFTP, and rsync while preventing command execution.

In this guide, we will cover the installation and setup of rssh and scponly on a Linux system.

Installing rssh

Install rssh

Most Linux distributions provide rssh in their package repositories. You can install it using the following commands:

For Debian/Ubuntu:

sudo apt update && sudo apt install rssh -y

For CentOS/RHEL:

sudo yum install rssh -y

For Arch Linux:

sudo pacman -S rssh

Configure rssh

Once installed, configure rssh by editing its configuration file:

sudo nano /etc/rssh.conf

Uncomment the required options to allow SCP, SFTP, or rsync. Example:

allowscp
allowsftp
allowrsync

Save and exit the file.

Set Up a User with rssh

To assign rssh as the shell for a specific user, run:

sudo usermod -s /usr/bin/rssh username

Now, the user can only perform allowed operations via SCP, SFTP, or rsync.

Installing scponly

Install scponly

For Debian-based systems:

sudo apt update && sudo apt install scponly -y

For CentOS/RHEL:

sudo yum install scponly -y

For Arch Linux:

sudo pacman -S scponly

Set Up scponly for a User

To restrict a user to scponly, modify their shell:

sudo usermod -s /usr/bin/scponly username

To ensure the user is properly restricted, test with:

ssh username@server

It should deny shell access but allow SCP/SFTP file transfers.

Testing and Verification

To verify the setup, attempt file transfers using:

For SCP:

scp file.txt username@server:/home/username/

For SFTP:

sftp username@server

If set up correctly, users should be able to transfer files but not execute commands.

Conclusion

Using rssh and scponly, administrators can enhance security by restricting user access to file transfers only. This prevents unauthorized shell access while allowing necessary file exchange operations. Ensure to regularly update configurations to align with security policies.