/etc/rssh.conf - configuration file for rssh
is the configuration file for rssh
. It allows the system
administrator to control the behavior of the shell. Configuration keywords are
either used by themselves on a line, or followed by an equal sign ('=') and a
configuration value. Comments start with a hash ('#') and can occur anywhere
on the line. Configuration options are case insensitive. Spaces at the
beginning or end of line, or between the equal sign and the configuration
keywords or values are ignored. If the value of a configuration option
contains spaces, it (or at least the space) must be enclosed in either single
or double quotes.
A default configuration file is provided with the source distribution of
. If the configuration file is missing or contains errors, ssh will
lock out all users. If a config file is present, the default is to lock out
users if no services have been explicitly allowed.
New in v2.1 is the ability to configure options on a per-user basis, using the
user keyword. More details are below.
Tells the shell that scp is allowed.
Tells the shell that sftp is allowed.
Tells the shell that cvs is allowed.
Tells the shell that rdist is allowed.
Tells the shell that rsync is allowed.
Tells the shell that svnserve is
Sets the umask value for file creations in the
scp/sftp session. This is normally set at login time by the user's shell. In
order not to use the system default, rssh must set the umask.
Allows the system administrator to control
what syslog facility rssh
logs to. The facilities are the same as those
used by syslogd.conf
(5), or the C macros for the facilities can be used
instead. For example:
are equivalent, and tell rssh
to use the user facility for logging to
(actually a helper program)
to call the chroot()
system call, changing the root of the file system
to whatever directory is specified. Note that the value on the right hand side
of the equal sign is the name of a directory, not a command. For example:
will change the root of the virtual file system to /usr/chroot, preventing the
user from being able to access anything below /usr/chroot in the file system,
and making /usr/chroot appear to be the root directory. Care must be taken to
set up a proper chroot jail; see the file CHROOT in the rssh source
distribution for hints about how to do this. See also the chroot
If the user's home directory (as specified in /etc/passwd
) is underneath
the path specified by this keyword, then the user will be chdir'd into their
home directory. If it is not, then they will be chdir'd to the root of the
In other words, if the jail is /chroot
, and your user's home directory is
, then once rssh_chroot_helper
changes the root
of the system, it will cd into /home/user
inside the jail. However, if
your user's home directory is given as /home/user
, then even if that directory exists in the jail, the chroot
helper will not try to cd there. The user's normal home directory must live
inside the jail for this to work.
The user keyword allows for the configuration
of options on a per-user basis. THIS KEYWORD OVERRIDES ALL OTHER KEYWORDS
FOR THE SPECIFIED USER.
That is, if you use a user keyword for user foo,
then foo will use only the settings in that user line, and not any of the
settings set with the keywords above. The user keyword's argument consists of
a group of fields separated by a colon (':'), as shown below. The fields are,
The username of the user for whom the entry
The umask for this user, in octal, just as it
would be specified to the shell
Six binary digits, which indicate whether the
user is allowed to use rsync, rdist, cvs, sftp, scp and svnserve, in that
order. One means the command is allowed, zero means it is not.
The directory to which this user should
be chrooted (this is not a command, it is a directory name). See
chroot_path above for complete details.
For example, you might have something like this:
user = luser:022:000010:
This does the following: for the user with the username "luser", set
the umask to 022, disallow sftp, and allow scp. Because there is no chroot
path specified, the user will not
be chrooted, regardless of default
options set with the keywords above.
If you wanted this user to be
chrooted, you would need to specify the chroot path explicitly, even if it
should be the same as that set using the chrootpath keyword. Remember that if
there are spaces in the path, you need to quote it, something like this:
user = "luser:022:000010:/usr/local/chroot dir"
See the default rssh.conf file for more examples.