1RSSH.CONF(5) Derek D. Martin RSSH.CONF(5)
2
6 /etc/rssh.conf - configuration file for rssh
7
9 rssh.conf is the configuration file for rssh. It allows the system
10 administrator to control the behavior of the shell. Configuration key‐
11 words are either used by themselves on a line, or followed by an equal
12 sign ('=') and a configuration value. Comments start with a hash ('#')
13 and can occur anywhere on the line. Configuration options are case
14 insensitive. Spaces at the beginning or end of line, or between the
15 equal sign and the configuration keywords or values are ignored. If
16 the value of a configuration option contains spaces, it (or at least
17 the space) must be enclosed in either single or double quotes.
18 A default configuration file is provided with the source distribution
20 of rssh. If the configuration file is missing or contains errors, ssh
21 will lock out all users. If a config file is present, the default is
22 to lock out users if no services have been explicitly allowed.
23 New in v2.1 is the ability to configure options on a per-user basis,
25 using the user keyword. More details are below.
26
29 allowscp
30 Tells the shell that scp is allowed.
31 allowsftp
33 Tells the shell that sftp is allowed.
34 allowcvs
36 Tells the shell that cvs is allowed.
37 allowrdist
39 Tells the shell that rdist is allowed.
40 allowrsync
42 Tells the shell that rsync is allowed.
43 umask
45 Sets the umask value for file creations in the scp/sftp session.
46 This is normally set at login time by the user's shell. In
47 order not to use the system default, rssh must set the umask.
48 logfacility
50 Allows the system administrator to control what syslog facility
51 rssh logs to. The facilities are the same as those used by sys‐
52 logd.conf(5), or the C macros for the facilities can be used
53 instead. For example:
54 logfacility=user
56 logfacility=LOG_USER
57 are equivalent, and tell rssh to use the user facility for log‐
59 ging to syslog.
60 chrootpath
62 Causes rssh (actually a helper program) to call the chroot()
63 system call, changing the root of the file system to whatever
64 directory is specified. Note that the value on the right hand
65 side of the equal sign is the name of a directory, not a com‐
66 mand. For example:
67 chrootpath=/usr/chroot
69 will change the root of the virtual file system to /usr/chroot,
71 preventing the user from being able to access anything below
72 /usr/chroot in the file system, and making /usr/chroot appear to
73 be the root directory. Care must be taken to set up a proper
74 chroot jail; see the file CHROOT in the rssh source distribution
75 for hints about how to do this. See also the chroot(2) man
76 page.
77 If the user's home directory (as specified in /etc/passwd) is
79 underneath the path specified by this keyword, then the user
80 will be chdir'd into their home directory. If it is not, then
81 they will be chdir'd to the root of the chroot jail.
82 In other words, if the jail is /chroot, and your user's home
84 directory is /chroot/home/user, then once rssh_chroot_helper
85 changes the root of the system, it will cd into /home/user
86 inside the jail. However, if your user's home directory is
87 given as /home/user in /etc/passwd, then even if that directory
88 exists in the jail, the chroot helper will not try to cd there.
89 The user's normal home directory must live inside the jail for
90 this to work.
91 user
93 The user keyword allows for the configuration of options on a
94 per-user basis. THIS KEYWORD OVERRIDES ALL OTHER KEYWORDS FOR
95 THE SPECIFIED USER. That is, if you use a user keyword for user
96 foo, then foo will use only the settings in that user line, and
97 not any of the settings set with the keywords above. The user
98 keyword's argument consists of a group of fields separated by a
99 colon (':'), as shown below. The fields are, in order:
100 username
102 The username of the user for whom the entry provides
103 options
104 umask
105 The umask for this user, in octal, just as it would be
106 specified to the shell
107 access bits
108 Five binary digits, which indicate whether the user is
109 allowed to use rsync, rdist, cvs, sftp, and scp, in that
110 order. One means the command is allowed, zero means it
111 is not.
112 path
113 The directory to which this user should be chrooted (this
114 is not a command, it is a directory name). See
115 chroot_path above for complete details.
116 For example, you might have something like this:
118 user = luser:022:00001:
120 This does the following: for the user with the username "luser",
122 set the umask to 022, disallow sftp, and allow scp. Because
123 there is no chroot path specified, the user will not be
124 chrooted, regardless of default options set with the keywords
125 above. If you wanted this user to be chrooted, you would need
126 to specify the chroot path explicitly, even if it should be the
127 same as that set using the chrootpath keyword. Remember that if
128 there are spaces in the path, you need to quote it, something
129 like this:
130 user = "luser:022:00001:/usr/local/chroot dir"
132 See the default rssh.conf file for more examples.
134
137 rssh(1), sshd(8), ssh(1), scp(1), sftp(1), syslogd.conf(5), chroot(2).
138man pages 7 Jul 2003 RSSH.CONF(5)