1RSSH.CONF(5)                    Derek D. Martin                   RSSH.CONF(5)
2
3
4

NAME

6       /etc/rssh.conf - configuration file for rssh
7

OVERVIEW

9       rssh.conf  is  the  configuration  file for rssh.  It allows the system
10       administrator to control the behavior of the shell.  Configuration key‐
11       words  are either used by themselves on a line, or followed by an equal
12       sign ('=') and a configuration value.  Comments start with a hash ('#')
13       and  can  occur  anywhere  on the line.  Configuration options are case
14       insensitive. Spaces at the beginning or end of  line,  or  between  the
15       equal  sign  and  the configuration keywords or values are ignored.  If
16       the value of a configuration option contains spaces, it  (or  at  least
17       the space) must be enclosed in either single or double quotes.
18
19       A  default  configuration file is provided with the source distribution
20       of rssh.  If the configuration file is missing or contains errors,  ssh
21       will  lock  out all users.  If a config file is present, the default is
22       to lock out users if no services have been explicitly allowed.
23
24       New in v2.1 is the ability to configure options on  a  per-user  basis,
25       using the user keyword.  More details are below.
26
27

CONFIGURATION KEYWORDS

29       allowscp
30              Tells the shell that scp is allowed.
31
32       allowsftp
33              Tells the shell that sftp is allowed.
34
35       allowcvs
36              Tells the shell that cvs is allowed.
37
38       allowrdist
39              Tells the shell that rdist is allowed.
40
41       allowrsync
42              Tells the shell that rsync is allowed.
43
44       umask
45              Sets the umask value for file creations in the scp/sftp session.
46              This is normally set at login time  by  the  user's  shell.   In
47              order not to use the system default, rssh must set the umask.
48
49       logfacility
50              Allows  the system administrator to control what syslog facility
51              rssh logs to.  The facilities are the same as those used by sys‐
52              logd.conf(5),  or  the  C  macros for the facilities can be used
53              instead.  For example:
54
55              logfacility=user
56              logfacility=LOG_USER
57
58              are equivalent, and tell rssh to use the user facility for  log‐
59              ging to syslog.
60
61       chrootpath
62              Causes  rssh  (actually  a  helper program) to call the chroot()
63              system call, changing the root of the file  system  to  whatever
64              directory  is  specified.  Note that the value on the right hand
65              side of the equal sign is the name of a directory,  not  a  com‐
66              mand.  For example:
67
68              chrootpath=/usr/chroot
69
70              will  change the root of the virtual file system to /usr/chroot,
71              preventing the user from being able  to  access  anything  below
72              /usr/chroot in the file system, and making /usr/chroot appear to
73              be the root directory.  Care must be taken to set  up  a  proper
74              chroot jail; see the file CHROOT in the rssh source distribution
75              for hints about how to do this.   See  also  the  chroot(2)  man
76              page.
77
78              If  the  user's  home directory (as specified in /etc/passwd) is
79              underneath the path specified by this  keyword,  then  the  user
80              will  be  chdir'd into their home directory.  If it is not, then
81              they will be chdir'd to the root of the chroot jail.
82
83              In other words, if the jail is /chroot,  and  your  user's  home
84              directory  is  /chroot/home/user,  then  once rssh_chroot_helper
85              changes the root of the  system,  it  will  cd  into  /home/user
86              inside  the  jail.   However,  if  your user's home directory is
87              given as /home/user in /etc/passwd, then even if that  directory
88              exists  in the jail, the chroot helper will not try to cd there.
89              The user's normal home directory must live inside the  jail  for
90              this to work.
91
92       user
93              The  user  keyword  allows for the configuration of options on a
94              per-user basis.  THIS KEYWORD OVERRIDES ALL OTHER  KEYWORDS  FOR
95              THE SPECIFIED USER.  That is, if you use a user keyword for user
96              foo, then foo will use only the settings in that user line,  and
97              not  any  of the settings set with the keywords above.  The user
98              keyword's argument consists of a group of fields separated by  a
99              colon (':'), as shown below.  The fields are, in order:
100
101              username
102                     The  username  of  the  user  for whom the entry provides
103                     options
104              umask
105                     The umask for this user, in octal, just as  it  would  be
106                     specified to the shell
107              access bits
108                     Five  binary  digits,  which indicate whether the user is
109                     allowed to use rsync, rdist, cvs, sftp, and scp, in  that
110                     order.   One  means the command is allowed, zero means it
111                     is not.
112              path
113                     The directory to which this user should be chrooted (this
114                     is   not  a  command,  it  is  a  directory  name).   See
115                     chroot_path above for complete details.
116
117              For example, you might have something like this:
118
119              user = luser:022:00001:
120
121              This does the following: for the user with the username "luser",
122              set  the  umask  to  022, disallow sftp, and allow scp.  Because
123              there is  no  chroot  path  specified,  the  user  will  not  be
124              chrooted,  regardless  of  default options set with the keywords
125              above.  If you wanted this user to be chrooted, you  would  need
126              to  specify the chroot path explicitly, even if it should be the
127              same as that set using the chrootpath keyword.  Remember that if
128              there  are  spaces  in the path, you need to quote it, something
129              like this:
130
131              user = "luser:022:00001:/usr/local/chroot dir"
132
133              See the default rssh.conf file for more examples.
134
135

SEE ALSO

137       rssh(1), sshd(8), ssh(1), scp(1), sftp(1), syslogd.conf(5), chroot(2).
138
139
140
141
142
143man pages                         7 Jul 2003                      RSSH.CONF(5)
Impressum