最後更新: 2019-10-08

介紹

rssh - Restricted shell allowing scp, sftp, svn, rsync(for use with OpenSSH)
 

安裝

apt-get install rssh

rssh -v

rssh 2.3.4
Copyright 2002-2010 Derek D. Martin <rssh-discuss at lists dot sourceforge dot net>

    rssh config file = /etc/rssh.conf
  chroot helper path = /usr/lib/rssh/rssh_chroot_helper
     scp binary path = /usr/bin/scp
  sftp server binary = /usr/lib/openssh/sftp-server
     cvs binary path = /usr/bin/cvs
   rdist binary path = /usr/bin/rdist
   rsync binary path = /usr/bin/rsync
svnserve binary path = /usr/bin/svnserve

 * version 0.9.3, by default rssh is now compiled statically (防止用 environment variables  去 LIBRARY 攻擊)

設定

# 設定某 User 用 rssh

usermod -s /usr/bin/rssh tim

# 設定可用的 Service

By default rssh configuration locks down everything

/etc/rssh.conf

# "LOG_USER" and "user" are equivalent.
# /var/log/user.log
# 在 /etc/rsyslog.conf 內有
# user.*                          -/var/log/user.log

logfacility = LOG_USER

allowscp
allowsftp

# set the default umask
umask = 022

# 其他有用設定

allowrsync
allowsvnserve

#chrootpath = "/usr/local/my chroot"

Per-user Options

username:umask:access-bits[:path]

access bits: (rsync)(rdist)(cvs)(sftp)(scp)(svnserve)

For example

user = "user1:022:100000:"
user = "user2:022:000110:/usr/local/chroot_dir"

Remark

• rsync: 100000
• sftp+scp: 000110

 * Remark

winscp 與 rssh 不相容

Chroot

log

Jun  8 12:40:33 server rssh[17392]: allowing scp to user tim
Jun  8 12:40:33 server rssh[17392]: allowing sftp to user tim
Jun  8 12:40:33 server rssh[17392]: chrooting tim to /data/upload
Jun  8 12:40:33 server rssh[17392]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 "/usr/lib/openssh/sftp-server"
Jun  8 12:40:33 server rssh_chroot_helper[17392]: new session for tim, UID=1001
Jun  8 12:40:33 server rssh_chroot_helper[17392]: chroot() failed, 2: Operation not permitted

cp /usr/share/doc/rssh/examples/mkchroot.sh .

chmod 755 mkchroot.sh