You've set up a server and your users are happily transferring files with apps like Filezilla or Cyberduck. You know that plain FTP is not secure, so you're requiring secure FTP (SFTP). Very nice so far -- no FTP server required.
Only problem is, your users also have SSH access, and that creates a potential security vulnerability. Their accounts could be used (or exploited) to run commands, when all you want to allow them is uploading and downloading files. One way to prevent such misuse is RSSH, a restricted form of SSH that limits users to a few commands like
sudo apt-get install rssh
/etc/rssh.conf, and uncomment the commands you want to allow (by default, users are locked out completely):
allowscp allowsftp allowrsync
Configuring User Shells and Access
Our RSSH users can't do anything without user accounts, plus logon permissions through the same OpenSSH server used for normal remote logons. For the user accounts, we're going to make the OpenSSH configuration easier by assigning users to one of two groups: the
ssh group will have full login access with the default shell (bash); the
rssh group will run the RSSH shell. We'll start by creating the latter group:
sudo groupadd rssh
ssh group should already exist if you're running Ubuntu Linux. If not:
sudo groupadd ssh
Add users to these groups with your favorite user management tool. For example, to add the user John Smith with login jsmith to the
rssh group, the command is
sudo usermod -G rssh -a jsmith. (Don't forget to also add yourself as an unrestricted user, with
sudo usermod -G ssh your_user_name.) You should then see two entries for
jsmith in the
/etc/group file: one was created for his original login, the other for his membership in the rssh group. As you add other users to the
rssh group, you'll see them appended to this line, with commas.
Now restrict each of the users to the RSSH shell by running:
sudo usermod -s /usr/bin/rssh username, replacing
username with their login. The last field in the
/etc/passwd file should reflect this change:
Configure your SSH server (OpenSSH) to allows logins from only these groups. Edit
/etc/ssh/sshd_config and add an AllowGroups line:
# Comment out any AllowUsers line, because it will override AllowGroups # AllowUsers jsmith AllowGroups ssh rssh
Be careful when editing
sshd_config on a remote server. A single typo could lock you out, even though you still have a valid password. I recommend you test locally first, and check for conflicting
AllowUsers directives before deploying elsewhere. Make sure you have a backdoor way to access your server if you misconfigure OpenSSH.
Restart the ssh server, and you can begin testing, using either
/etc/init.d/ssh restart or
sudo service ssh restart.
Test by logging in as each type of user. When someone assigned to the
rssh group logs in, a message informs him about the restriction:
This account is restricted by rssh. Allowed commands: scp sftp rsync
Creating Jails and Dropboxes
The configuration so far limits what commands the rssh users can run. However, it doesn't restrict their ability to view files throughout the filesystem. For example, try connecting with an FTP client, and you'll see that rssh users still have the ability to transfer files from any directory to which they have read permissions.
Take a moment to look at the other configuration options and examples in
/etc/rssh.conf. If you want to
chroot individual users or permit them only a subset of commands, this is one place to do it. Be forewarned that a
chroot environment involves more expertise than our simple setup.
A better place to enforce a
chroot environment may be the OpenSSH configuration, as in this blog article. Say you want users to be able to download and share files, similar to a commercial service like Dropbox. You could create a common chroot for everone, like
/usr/local/dropbox. Then create individual user directories within it, such as
/usr/local/dropbox/home/jsmith. Set permissions to ensure whatever privacy you need, and you have a pretty secure place to store and exchange files.
This post was originally published on my other blog, https://tech.surveypoint.com