Restricting the shell, like Rsh and Scponly, allows the system administrator to restrict what Linux users can do, and you can create users that will be allowed to copy files through the SCP, but will not be allowed to log on to the system's command line. This is a very important security feature that should be considered by each system administrator user to prevent unauthorized activity, such as through SSH.
If you have some online storage that is used to upload more than SCP/SSH or rsync backup data from a remote host, then it is strongly recommended to use the limit to bounce these incoming connections and make sure that even if the attacker gets a username/password (or key), then he or she will not be able to break into your system.
Scponly is an extremely simple limited shell, the user account with Scponly binary shell will not be able to do anything except the data from the remote host through the SCP protocol or through the RSYNC/SCP. RSSH provides a bit more functionality: You can restrict users to use selected protocols, such as Scp,sftp,rsync, CVS or rdist chroot environments or not.
Installation:
I prefer to use Yum or aptitude to install such software like RSSH or scponly, the quickest way is to try one of the following commands, depending on your needs:
If there is a problem, find the required restricted shell in your Linux distribution repository, then you should download the source code and do some. /configure, and make install. Here is the link: Latest Rssh tar.gz, latest scponly. tgz.
Configuration:
Scponly, does not need any configuration, unpacking, so you should set it as a shell user account. Here are some examples.
Create a new account with Scponly:
Use the user account with Rssh as the shell:
/usr/sbin/scponly is a binary executable file for scponly.
Rssh text profiles are typically stored in/etc/rssh.conf. You can set each user's settings or configure global limits to use RSSH all accounts. The default rssh.conf file has good comments, so there should be no problem and you need to configure RSSH. At the same time, here are some examples.
If you want to restrict all users to SCP and rsync, you should uncomment the rssh.conf line as follows:
Now for each user's example. Allowing the user Peter is only using the SCP protocol, to the following in accordance with the rssh.conf will do this:
Allow the user Ann to only SCP and rsync:
As you can see each user setting enabled protocol specified as 11000 (scp,sftp), 11111 (scp,sftp,cvs,rdist, rsync, etc.) or 00000 (no protocol enabled). The umask022 specified in the example above.
Test:
Let's assume that you have created User1 and only SCP and rsync use RSSH enabled. Try to access the User1 account under the SSH server by ending with the following output:
At the same time, SCP transfer work is not a problem:
Further reading:
RSSH supports the chroot environment for Rsync, rsync, and other transport protocols. This means that you can not only restrict users by ordering them to also use the file system they arrive at. For example, User1 can be chroot/chroot_user1, so it cannot be used to replicate things from the/etc directory to the server or/var/www below. Here is a chroot in Rssh is a good manual.
Original source: http://www.linuxscrew.com/2012/07/05/linux-restricted-Shells-rssh-and-Scponly/
Http://os.51cto.com/art/201311/417631.htm
Linux under Limit shell:rssh and Scponly
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
