rssh, or How to allow SCP, but disable SSH
Quite an adequate situation: you have a remote Linux machine with access via SSH, and you urgently need to give someone of your friends the opportunity to download a file onto this machine. Of course, we are absolutely lazy to deploy for the sake of this FTP-server. And why, when there is SCP?
That's just bad luck: we do not want this friend had the opportunity to do something on this machine. Well, you never know what. Therefore, for starters, we start a separate user, set up a place for it with the home directory where the file should be uploaded, limit this user’s access to the surrounding directories. Still, this user still has access to the Shell, and we, experienced paranoiacs, do not like this at all.
The output seems to pop up: you must replace the default user shell (/ bin / sh) with something else. That's just what? / bin / false, / bin / true will not let ssh do anything, but scp will not work either. There is a magical git-shell, but it is not much for another.
')
A brief search on the Internet shows that the problem has long been decided - there is rssh (Restricted SSH). Its task just comes down to allowing the user some services like scp, sftp, rsync, etc., but to prohibit the execution of other commands.
On Debian / Ubuntu is installed from the repository:
After installation, you need to climb into /etc/rssh.conf and uncomment the lines with the services we need (allowscp, allowrsync, for example). After that, the newly created user in / etc / passwd should set the file / usr / bin / rssh as a shell. Now you can check access:
Forparanoiacs in the severe stage of particularly sensitive systems, there you can also set up individual lists of allowed services for different users, and even select a separate chroot for maximum isolation.
PS I know that the utility is far from new, but still I have not seen its description on Habré, although it may be very useful to someone.
That's just bad luck: we do not want this friend had the opportunity to do something on this machine. Well, you never know what. Therefore, for starters, we start a separate user, set up a place for it with the home directory where the file should be uploaded, limit this user’s access to the surrounding directories. Still, this user still has access to the Shell, and we, experienced paranoiacs, do not like this at all.
The output seems to pop up: you must replace the default user shell (/ bin / sh) with something else. That's just what? / bin / false, / bin / true will not let ssh do anything, but scp will not work either. There is a magical git-shell, but it is not much for another.
')
A brief search on the Internet shows that the problem has long been decided - there is rssh (Restricted SSH). Its task just comes down to allowing the user some services like scp, sftp, rsync, etc., but to prohibit the execution of other commands.
On Debian / Ubuntu is installed from the repository:
$ sudo apt-get install rssh After installation, you need to climb into /etc/rssh.conf and uncomment the lines with the services we need (allowscp, allowrsync, for example). After that, the newly created user in / etc / passwd should set the file / usr / bin / rssh as a shell. Now you can check access:
$ ssh rsshuser@remote This account is restricted by rssh. Allowed commands: scp rsync If you believe this is in error, please contact your system administrator. Connection to remote closed. $ scp ./file.txt rsshuser@remote:file.txt file.txt 100% 51KB 1.2MB/s 00:03 $ For
PS I know that the utility is far from new, but still I have not seen its description on Habré, although it may be very useful to someone.
Source: https://habr.com/ru/post/325904/
All Articles