rssh testing

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm new to rssh, but I need to make it work.  

Server is Fedora Core 3.

I've installed rssh-2.2.3-1.1.fc3.rf using rpm.

These are also installed:


I've configured /etc/rssh.conf according to docs, read the man pages
on rssh and rssh.conf.

Since I've never used this before, I'm not sure exactly what to

As root, I try this:

[root@lnxweb2 /var/ftp]# rssh

This account is restricted by rssh.
Allowed commands: sftp

If you believe this is in error, please contact your system

[root@lnxweb2 /var/ftp]#

This doesn't seem right, I would think I should get a command prompt,
but it seems to simply exit and without any error message that might
lead me to what is wrong.  The only part that seems correct is the
fact that sftp is allowed, that I configured in /etc/rssh.conf.

Help with this would be greatly appreciated.

Re: rssh testing

Gravenhorst) writes:
Quoted text here. Click to load it

I've never used rssh, but apparently it's intended to be used as the
login shell for accounts that are only to be allowed to run the
configure commands via ssh. It is not intended as an interactive shell,
which is what you are trying to test - or rather, it is supposed to
specifically prevent any interactive use, which would be attempted if
you tried to simply do an interactive login on that account (i.e. 'ssh
user@host' or any other method to obtain an interactive login).

The following is more than a little simplified, but good enough to show
the principle... When you invoke the sftp client, it basically runs

  ssh user@host sftp-server

I.e. it requests that the SSH server runs the command 'sftp-server'
instead of giving an interactive shell - just as if you run, say, 'ssh
user@host echo foo', you would just get the "foo" back and then the
connection would close, having executed the requested command - you
never get a prompt from the remote login shell.

The ssh server does however make use of the remote login shell to run
the command, by invoking

  $SHELL -c sftp-server

- the -c option being standard across all shells and meaning "run the
command given as the next argument" (see the man page for your favorite
shell). So, in the case where rssh is the account's login shell, the ssh
server will run

  rssh -c sftp-server

And that is something you could possibly try, and *not* get an error
message (but instead get "hung" with the sftp-server expecting you to
speak the sftp protocol to it:-). Note though that the sftp-server
command may not be in your $PATH and the command may actually fail for
that reason, and in real life the ssh server will normally instead run
the command that is specified for "Subsystem sftp" in sshd_config
(e.g. on my FreeBSD box here it is /usr/libexec/sftp-server) - as I
said, this is a bit simplified.

In any case trying to run anything *else* via -c, e.g. 'rssh -c ls',
should be rejected - as should not giving -c and a following arg at all,
which you already verified. A more meaningful test might be to actually
test an account that has rssh as login shell, since that's your goal

All of these should be rejected:

ssh user@host
ssh user@host echo foo
trying to log in as 'user' in any other way, e.g. on console

- while this should work:

sftp user@host

--Per Hedeland

Site Timeline