Description
This docuement will show you how to restrict any account to cvs, scp, sftp and/or rsync protocols only.
Requirements
Explanation of requirements.
- Root or appropriate sudo access to the system
- Internet access
Doing the Work
Basic description of what will be done and what is expected.
- Install rssh from http://rpm.centoshelp.org/el7/rpms/rssh-2.3.4-6.el7.centos.opsec.x86_64.rpm:
- Edit /etc/rssh.conf and /etc/passwd:
- Restart sshd and attempt to connect from a remote system using sftp and ssh:
yum localinstall http://rpm.centoshelp.org/el7/rpms/rssh-2.3.4-6.el7.centos.opsec.x86_64.rpm
Uncomment these lines from the top of /etc/rssh.conf:
|
1 2 3 4 |
allowscp allowsftp allowcvs allowrsync |
Replace these lines from the top of /etc/passwd:
replace: /bin/bash
with: /usr/bin/rssh
user:x:501:501::/home/user:/usr/bin/rssh
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
sftp user@192.168.1.2 user@1.2.3.4's password: sftp> ssh user@192.168.1.2 Enter passphrase for key '/home/user/.ssh/id_dsa': user@1.2.3.4's password: This account is restricted by rssh. Allowed commands: scp sftp cvs rsync If you believe this is in error, please contact your system administrator. Connection to 192.168.1.2 closed. |
Troubleshooting / Testing
Explanation troubleshooting basics and expectations.
- Make sure your firewall or denyhosts has not banned or blocked your ip:
- Restart sshd, make sure your password is correct for user:
iptables -L INPUT -v -n
tail -f /etc/hosts.deny
systemctl restart sshd.service
sudo passwd new_user
Disclaimer
We test this stuff on our own machines, really we do. But you may run into problems, if you do, come to #centoshelp on irc.freenode.net