How to Restrict SSH Users to SCP Only (Disabling Shell Access) in CentOS/RHEL


25 views

Many system administrators need to provide file transfer capabilities without granting full shell access. This is particularly common when:

  • Providing access to backup scripts
  • Allowing external partners to retrieve log files
  • Creating limited-access service accounts

The most reliable method uses the ForceCommand directive in sshd_config combined with a special shell restriction:

# /etc/ssh/sshd_config
Match User restricted_user
    ForceCommand internal-sftp
    PasswordAuthentication yes
    ChrootDirectory /path/to/chroot
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no

For more granular control, install the restricted shell package:

yum install rssh
chsh -s /usr/bin/rssh restricted_user

Then configure /etc/rssh.conf:

allowscp
# deny all other options
logfacility = LOG_USER
umask = 022

Complete setup example for new accounts:

useradd -s /usr/bin/rssh -d /home/scpuser -m scpuser
passwd scpuser
mkdir -p /home/scpuser/uploads
chown scpuser:scpuser /home/scpuser/uploads
chmod 750 /home/scpuser

Test the configuration from a client machine:

# Should work:
scp file.txt scpuser@server:/uploads/

# Should fail:
ssh scpuser@server

If connections are rejected:

  • Verify SELinux contexts: restorecon -Rv /home/scpuser
  • Check audit logs: ausearch -m avc -ts recent
  • Ensure proper permissions on home directory (not writable by group/others)

Additional hardening measures:

# In sshd_config:
PermitEmptyPasswords no
PermitUserEnvironment no
ClientAliveInterval 300
ClientAliveCountMax 0

Administrators often need to provide file transfer capabilities without granting full shell access. While SCP and SFTP both operate over SSH, we can leverage OpenSSH's configuration to create a secure, restricted environment.

The most reliable method uses rssh or scponly as the user's shell. For CentOS 5.2:

# yum install rssh
# chsh -s /usr/bin/rssh username

For systems without additional packages, modify /etc/ssh/sshd_config:

Match User restricted_user
    ForceCommand /usr/libexec/openssh/sftp-server
    X11Forwarding no
    AllowTcpForwarding no
    PermitTTY no

For enhanced security with SCP-only access:

# mkdir -p /var/jail/username/uploads
# chown username:username /var/jail/username/uploads
# usermod -d /var/jail/username username

Then in sshd_config:

Match User username
    ChrootDirectory /var/jail/username
    ForceCommand internal-sftp
    AllowTCPForwarding no
    X11Forwarding no

Test the configuration:

# ssh username@localhost
# Should reject with "This service allows sftp connections only."

# scp username@localhost:/path/to/file .
# Should work normally

Key permission issues often cause problems. Ensure:

# chmod 755 /var/jail
# chown root:root /var/jail
# chmod 755 /var/jail/username

For CentOS 5.2 specifically, you may need to adjust SELinux contexts:

# chcon -t ssh_home_t /var/jail/username/uploads