Sometimes, you may want to provide services that require shell access without actually giving users shell access. The restricted shell, rssh, can be used to do just that.

It may sound contradictory at first, but there are times when a system administrator may have a legitimate need to offer services that depend on shell access for users without actually giving those users shell access on the system. Providing shell access to users, especially if they are untrusted users, can present a serious security problem for sysadmins, after all.

One example is using OpenSSH to provide SFTP accounts so that users can transfer files to and from your server securely. OpenSSH requires shell access to provide SFTP access. There is a restricted shell called rssh, however, that provides shell access for server daemons such as OpenSSH, but does not provide an interactive shell environment that can be abused by users.

The rssh tool is available in the software management archives of major open source Unix-like systems, such as Debian GNU/Linux and FreeBSD. Debian’s apt-cache search command has this to say about it:

rssh - Restricted shell allowing only scp, sftp, cvs, rsync and/or rdist

You can find out more about the program at its homepage.

After installing it using your BSD Unix or Linux-based system’s native software management tools, getting it set up and working is a very simple operation. Just create an account that you want to use rssh using your system’s standard account creation utilities, and set its default shell to rssh. Once this is done, you can test the account’s configuration by trying to log into it via ssh. The connection should be terminated before login is complete, with a message explaining that the account has been restricted with rssh.

Unfortunately for those who want to allow the account to do something, however, it prevents other means of using the account such as SFTP as well, by default. To get it to allow SFTP, rssh needs to be explicitly configured to do so. Find the rssh.conf file, whose location will depend on the specific system where you have it installed but should be somewhere like /usr/local/etc/rssh.conf and edit it to contain the following line to allow SFTP connections:


Similar configuration options exist for the other tools that rssh supports, so that you can provide users with the ability to access particular resources on the system without having to give them the ability to log in directly with an interactive shell as well.