rssh.conf manpage

Search topic Section

RSSH.CONF(5)			Derek D. Martin			  RSSH.CONF(5)

       /etc/rssh.conf - configuration file for rssh

       rssh.conf  is  the  configuration  file for rssh.  It allows the system
       administrator to control the behavior of the shell.  Configuration key-
       words  are either used by themselves on a line, or followed by an equal
       sign ('=') and a configuration value.  Comments start with a hash ('#')
       and  can	 occur	anywhere  on the line.	Configuration options are case
       insensitive. Spaces at the beginning or end of  line,  or  between  the
       equal  sign  and	 the configuration keywords or values are ignored.  If
       the value of a configuration option contains spaces, it	(or  at	 least
       the space) must be enclosed in either single or double quotes.

       A  default  configuration file is provided with the source distribution
       of rssh.	 If the configuration file is missing or contains errors,  ssh
       will  lock  out all users.  If a config file is present, the default is
       to lock out users if no services have been explicitly allowed.

       New in v2.1 is the ability to configure options on  a  per-user	basis,
       using the user keyword.	More details are below.

	      Tells the shell that scp is allowed.

	      Tells the shell that sftp is allowed.

	      Tells the shell that cvs is allowed.

	      Tells the shell that rdist is allowed.

	      Tells the shell that rsync is allowed.

	      Sets the umask value for file creations in the scp/sftp session.
	      This is normally set at login time  by  the  user's  shell.   In
	      order not to use the system default, rssh must set the umask.

	      Allows  the system administrator to control what syslog facility
	      rssh logs to.  The facilities are the same as those used by sys-
	      logd.conf(5),  or	 the  C	 macros for the facilities can be used
	      instead.	For example:


	      are equivalent, and tell rssh to use the user facility for  log-
	      ging to syslog.

	      Causes  rssh  (actually  a  helper program) to call the chroot()
	      system call, changing the root of the file  system  to  whatever
	      directory	 is  specified.	 Note that the value on the right hand
	      side of the equal sign is the name of a directory,  not  a  com-
	      mand.  For example:


	      will  change the root of the virtual file system to /usr/chroot,
	      preventing the user from being able  to  access  anything	 below
	      /usr/chroot in the file system, and making /usr/chroot appear to
	      be the root directory.  Care must be taken to set	 up  a	proper
	      chroot jail; see the file CHROOT in the rssh source distribution
	      for hints about how to do this.	See  also  the	chroot(2)  man

	      If  the  user's  home directory (as specified in /etc/passwd) is
	      underneath the path specified by this  keyword,  then  the  user
	      will  be	chdir'd into their home directory.  If it is not, then
	      they will be chdir'd to the root of the chroot jail.

	      In other words, if the jail is /chroot,  and  your  user's  home
	      directory	 is  /chroot/home/user,	 then  once rssh_chroot_helper
	      changes the root of the  system,	it  will  cd  into  /home/user
	      inside  the  jail.   However,  if	 your user's home directory is
	      given as /home/user in /etc/passwd, then even if that  directory
	      exists  in the jail, the chroot helper will not try to cd there.
	      The user's normal home directory must live inside the  jail  for
	      this to work.

	      The  user	 keyword  allows for the configuration of options on a
	      THE SPECIFIED USER.  That is, if you use a user keyword for user
	      foo, then foo will use only the settings in that user line,  and
	      not  any	of the settings set with the keywords above.  The user
	      keyword's argument consists of a group of fields separated by  a
	      colon (':'), as shown below.  The fields are, in order:

		     The  username  of	the  user  for whom the entry provides
		     The umask for this user, in octal, just as	 it  would  be
		     specified to the shell
	      access bits
		     Five  binary  digits,  which indicate whether the user is
		     allowed to use rsync, rdist, cvs, sftp, and scp, in  that
		     order.   One  means the command is allowed, zero means it
		     is not.
		     The directory to which this user should be chrooted (this
		     is	  not  a  command,  it	is  a  directory  name).   See
		     chroot_path above for complete details.

	      For example, you might have something like this:

	      user = luser:022:00001:

	      This does the following: for the user with the username "luser",
	      set  the	umask  to  022, disallow sftp, and allow scp.  Because
	      there is	no  chroot  path  specified,  the  user	 will  not  be
	      chrooted,	 regardless  of	 default options set with the keywords
	      above.  If you wanted this user to be chrooted, you  would  need
	      to  specify the chroot path explicitly, even if it should be the
	      same as that set using the chrootpath keyword.  Remember that if
	      there  are  spaces  in the path, you need to quote it, something
	      like this:

	      user = "luser:022:00001:/usr/local/chroot dir"

	      See the default rssh.conf file for more examples.

       rssh(1), sshd(8), ssh(1), scp(1), sftp(1), syslogd.conf(5), chroot(2).

man pages			  7 Jul 2003			  RSSH.CONF(5)