Restrict user account to scp, sftp, rsync only with Fedora
This howto will show you how to restrict any account to cvs, scp, sftp and rsync only.
Applicable to Fedora Versions:
- Fedora: All versions
Requirements
Explanation of requirements.
- Root or appropriate sudo access to the system
- Internet access
Doing the Work
Basic description of what will be done and what is expected.
- Install rssh:
- Edit /etc/rssh.conf and /etc/passwd and replace /bin/bash with /usr/bin/rssh:
- Restart sshd and attempt to connect from a remote system using sftp and ssh:
yum install rssh
uncomment these lines from the top of /etc/rssh.conf:
allowscp
allowsftp
allowcvs
allowrsync
vi /etc/passwd (hit "i" for insert and esc :wq for write/quit)
user:x:501:501::/home/user:/usr/bin/rssh
sftp user@1.2.3.4
user@1.2.3.4's password:
sftp>
ssh user@1.2.3.4
Enter passphrase for key '/home/user/.ssh/id_dsa':
user@1.2.3.4's password:
This account is restricted by rssh.
Allowed commands: scp sftp cvs rsync
If you believe this is in error, please contact your system administrator.
Connection to 1.2.3.4 closed.
Troubleshooting
How to test
Explanation troubleshooting basics and expectations.
- Make sure your firewall or denyhosts has not banned or blocked your ip:
- Restart sshd, make sure your password is correct for user:
service iptables status
tail -f /etc/hosts.deny
service sshd restart
sudo passwd user
Common problems and fixes
Describe common problems here, include links to known common problems if on another site
More Information
Any additional information or notes.
Disclaimer
We test this stuff on our own machines, really we do. But you may run into problems, if you do, come to #centos on irc.freenode.net
