This docuement will show you how to restrict any account to cvs, scp, sftp and/or rsync protocols only.
Explanation of requirements.
- Root or appropriate sudo access to the system
- Internet access
Doing the Work
Basic description of what will be done and what is expected.
- Install rssh from http://rpm.centoshelp.org/el7/rpms/rssh-2.3.4-6.el7.centos.opsec.x86_64.rpm:
- Edit /etc/rssh.conf and /etc/passwd:
- Restart sshd and attempt to connect from a remote system using sftp and ssh:
yum localinstall http://rpm.centoshelp.org/el7/rpms/rssh-2.3.4-6.el7.centos.opsec.x86_64.rpm
Uncomment these lines from the top of /etc/rssh.conf:
Replace these lines from the top of /etc/passwd:
Enter passphrase for key '/home/user/.ssh/id_dsa':
This account is restricted by rssh.
Allowed commands: scp sftp cvs rsync
If you believe this is in error, please contact your system administrator.
Connection to 192.168.1.2 closed.
Troubleshooting / Testing
Explanation troubleshooting basics and expectations.
- Make sure your firewall or denyhosts has not banned or blocked your ip:
- Restart sshd, make sure your password is correct for user:
iptables -L INPUT -v -n
tail -f /etc/hosts.deny
systemctl restart sshd.service
sudo passwd new_user
We test this stuff on our own machines, really we do. But you may run into problems, if you do, come to #centoshelp on irc.freenode.net