Linux Restricted Shell
The idea of a restricted shell first arose in the Unix operating system in order to prevent the end-user from doing as many operations as a normal shell allows. A restricted shell lets the administrator control the end-user’s computing environment by only permitting explicitly used commands to be used. The Linux restricted shell (rssh) is similar, but only a minimum command set is enabled for the end-user. When installed, the default configuration is to remove all access and capabilities until the configuration file is modified by the admin. In the past, if no configuration file was included with the rssh installation, SCP would be enabled by default for all users. This was changed recently, and there is no access for any end-user until the configuration file is created.
What Commands Must Be Enabled in RSSH?
At a minimum, one of the following commands must be made available to the end-user in rssh:
Backup utility – rdist
Control Version System (CVS) – cvs
Secure copy – scp
Secure FTP – sftp
Sync filesystem – rsync
How Do I Install rssh?
There are essentially three ways to install rssh. However, installation depends on the type of Linux being used.
Fedora – Rssh is available through Yum. The command to enter for installation is:
yum install rssh
Debian – Available through apt-get. The command to install is:
apt-get install rssh
Download from dragonToe.org/rssh on other builds of Linux.
How to Modify the rssh Configuration File
Step 1- Locate the rsh configuration file located in “/etc/rssh.conf”
Step 2 – Modify the file to permit SFTP on the server by removing the comment on the
“allowsftp” line. If this line is not commented out, add it at the top of the file.
Step 3 – Add at least one user (e.g. Mike) by entering the following line to the config file:
useradd -m -d /home/mike -s /usr/bin/rssh mike
Step 4 – Alternatively, for an existing user, use the chmod command to assign the rssh to the user:
usermod -s /usr/bin/rssh mike
Step 5 – Save the configuration file and rssh will be installed with the targeted capability(ies) for the end-users added in the file.