This article demonstrates how easy it is to limit users SSH’ing into your system to just Rsync and/or SCP. We’re using CentOS 6 for this demo. For example, suppose you want to allow users (or a script on a remote system) to SCP or Rsycn files to and from a server but you don’t want them to be able to log in and run commands on the server. This is where RSSH comes in.
First install RSSH using Yum:
yum install rssh
Or
yum localinstall http://rpm.centoshelp.org/el7/rpms/rssh-2.3.4-6.el7.centos.opsec.x86_64.rpm
Open the “/etc/rssh.conf” file for editing. Notice the following 4 lines:
9 #allowscp 10 #allowsftp 11 #allowcvs 12 #allowrdist 13 #allowrsync
Uncomment the above to the minimum you need. For instance, to permit SCP and Rsync, uncomment lines 9 and 13. Save the above.
Now you have a new shell located (for me) at “/usr/bin/rssh”. You can edit the “/etc/passwd” file and change any “/bin/bash” shell parameter to “/usr/bin/rssh”.
Warning! Don’t test this with your own account. Make sure you test it with another account “test” account.
From this:
testuser324:x:22447:22449::/home/testuser324:/bin/bash
To this:
testuser324:x:22447:22449::/home/testuser324:/usr/bin/rssh
You can do this with “usermod” and “useradd” as in the following examples:
usermod -s /usr/bin/rssh testuser324
Finally we need to make sure the user is in the right group. Make sure the user is in the “rsshusers” group. Read on for ways you can do this.
Create a new user, add that user to the right group and set their shell:
useradd -s /usr/bin/rssh -G rsshusers testuser324
Modify an existing user, set their group membership and set their shell. Get their current group membership first.
groups testuser324 testuser324 : testuser324 finance sales usermod -s /usr/bin/rssh -G testuser324,finance,sales,rsshusers testuser324