Restrict User Account To: cvs, scp, sftp, rsync Only With Centos
This howto will show you how to restrict any account to cvs, scp, sftp and rsync only.
Applicable to Centos Versions:
- Centos 5.x
- Centos 6.x
Requirements
Explanation of requirements.
- Root or appropriate sudo access to the system
- Internet access
Doing the Work
Basic description of what will be done and what is expected.
- Install rssh from the RPMForge repository or download it from DAG here: http://dag.wieers.com/rpm/packages/rssh/:
- Edit /etc/rssh.conf and /etc/passwd and replace /bin/bash with /usr/bin/rssh:
- Restart sshd and attempt to connect from a remote system using sftp and ssh:
yum --enablerepo=rpmforge install rssh or: rpm -ivh http://dag.wieers.com/rpm/packages/rssh/rssh-2.3.2-1.2.el5.rf.i386.rpm rpm -ivh http://dag.wieers.com/rpm/packages/rssh/rssh-2.3.2-1.2.el5.rf.x86_64.rpm
Uncomment these lines from the top of /etc/rssh.conf: allowscp allowsftp allowcvs allowrsync vi /etc/passwd (hit "i" for insert and esc :wq for write/quit) user:x:501:501::/home/user:/usr/bin/rssh
sftp user@1.2.3.4 user@1.2.3.4's password: sftp> ssh user@1.2.3.4 Enter passphrase for key '/home/user/.ssh/id_dsa': user@1.2.3.4's password: This account is restricted by rssh. Allowed commands: scp sftp cvs rsync If you believe this is in error, please contact your system administrator. Connection to 1.2.3.4 closed.
Troubleshooting / How To Test
Explanation troubleshooting basics and expectations.
- Make sure your firewall or denyhosts has not banned or blocked your ip:
- Restart sshd, make sure your password is correct for user:
service iptables status tail -f /etc/hosts.deny
service sshd restart sudo passwd user
Common Problems & Fixes
Describe common problems here, include links to known common problems if on another site
More Information
Any additional information or notes.
Disclaimer
We test this stuff on our own machines, really we do. But you may run into problems, if you do, come to #centoshelp on irc.freenode.net
