Use rssh to restrict user access to sftp

by Daniel Mann on 2011.09.30

This week our customer Liquifusion Studios needed a way to provide restricted end-user access for limited file management via sftp. Liquifusion, run by Doug Harrison, provides premium quality custom web development. I recommend them highly.

Doug needed to grant sftp access to a limited number of users on Ubuntu Server. There was no need to set up a full-featured FTP server like vsftpd to address this simple need. Instead, we elected to use rssh.

Here’s how we used rssh to provide sftp-only access on ubuntu1.

Install rssh

From the rssh homepage: “rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp”. This guide demonstrates how to use rssh to restrict end users to sftp access only.

The ubuntu package manager makes installing rssh simple. Make sure your sources are up-to-date, then install rssh:

$ sudo apt-get update
$ sudo apt-get install rssh

Configure rssh

By default, all protocols available to rssh are disabled. To permit desired protocols, uncomment them in the rssh config file.

$ sudo nano -w /etc/rssh.conf

We wanted to permit only sftp access to end users on this server, but you could choose to enable other protocols, including scp, rdist, rsync, and cvs. If you enable other protocols, make sure you understand your configuration and take appropriate security measures.

Also note that the default umask for rssh is 022. That means files will be created with read and write permissions for the user, and read-only permissions for the group and others, but without execute permissions.

Optional security measures

Note that mounting user filesystems with noexec and nosuid is recommended on multi-user systems. Also, for the truly paranoid (or those with even tighter security requirements), rssh supports chroot.

The details of those additional security measures are outside the scope of this guide. You can find more information in the CHROOT document included with the rssh source.

Add restricted users

Now that rssh is configured, we’re ready to add restricted users. The adduser command on ubuntu can add the user account, create and set ownership of the user’s home directory, and set the user’s shell to rssh.

Let’s create an account for the fictional “Joe User” (juser) for this example.

Decide where to locate the user folder

The adduser command will create the user’s home directory if it does not already exist. If the directory already exists, the specified folder will be set as the user’s home directory.

If for some reason you want to create the directory manually, use the mkdir command:

$ sudo mkdir /var/www/juser

Add the user

Note that when you specify an existing directory as the user’s home, you may get a warning like “The home directory ‘/var/www/juser/’ does not belong to the user you are currently creating”. This is expected. We’ll fix that shortly.

Now, add the user:

$ sudo adduser --home /var/www/juser/ --shell /usr/bin/rssh juser

You should enter the full name and a strong password for the user. Other details are left to your discretion2.

Set owner on home folder

Now, if you specified an existing directory as the user’s home, let’s address that warning. Change ownership of the user’s home folder to the user:

$ sudo chown --recursive juser /var/www/juser

That’s done—now it’s time to test file management over sftp!

Test sftp connection

For this part, you’ll need an sftp client. If you don’t have a favorite already, I recommend the open-source, cross-platform FileZilla. Download and install the client, then open its Site Manager and add a new site.

Configure your sftp client to connect to the host where you’ve just added a user account (by hostname or IP address), using protocol SFTP (SSH File Transfer Protocol). This typically uses port 22, but with FileZilla you should only need to specify the protocol.

FileZilla Site Manager

FileZilla Site Manager

Choose a login type of Normal, enter the username and password you specified when creating the user, and hit Connect.

You may be prompted to accept the host key for this server, if you have not previously connected using FileZilla. If you’re just using this to test, you can skip the “Always trust…”; or, if you’ll be using this frequently, go ahead and check the box before clicking OK.

FileZilla: Unknown host key

FileZilla: Unknown host key

That should do it. Enjoy!

  1. Ubuntu Server 10.04 LTS (lucid) is the current long-term support release at the time of this writing. While these instructions might work with other versions of ubuntu, or other linux distributions, we only tested with Ubuntu Server 10.04 LTS. ↩

  2. Sometimes you might have other users (or processes that run as other users) that need access to the directory we set as the user’s home. We have a group called “sftponly” for just this purpose.

    You could do what we did here: change the primary group for the new user to match that used by the other users in the group. To change the user’s primary group to match, issue the following command:

    $ sudo usermod -g sftponly juser

    Of course, if you know you’re going to set up multiple users to use “sftponly” as their primary group, you could specify the default group when you create the user. Here’s the syntax for adding a user with the default group option:

    $ sudo adduser --home /var/www/juser/ --shell /usr/bin/rssh --ingroup sftponly juser

    In the instance of shared folders, you might also want to change the umask in /etc/rssh.conf to 002, which leaves write permission enabled for the user’s group. ↩

{ Comments on this entry are closed }

Enable remote syslog on VMware ESXi

by Daniel Mann on 2011.07.14

Last week our customer Florida Institute of CPAs had an issue with a production iSCSI VMware datastore going offline. Rescanning storage brought the volume back online, but we needed to find the cause so we could prevent a recurrence.

Unfortunately, by the time we got VMware support on the case, the VMware logs had already been overwritten.

VMware ESXi automatically rotates and overwrites logs on internal storage. This is by design, so as not to fill up the limited space on the default volume containing the log files.

They needed a better way to collect and retain ESXi system logs.

Collect system logs with syslog

Syslog is a standard method of log collection used by a variety of systems and devices. It allows for collection of logs into a centralized repository for retention and analysis.

VMware ESXi has a built-in syslog feature. This allows you to capture logs from ESXi hosts to a syslog server for longer-term retention and analysis.

If you need to capture logs from VMware ESXi host servers for longer-term retention and analysis, you can enable remote logging via the built-in syslog feature. The method for doing this on VMware ESXi hosts is revealed in VMware knowledge base article 1016621, “Enabling syslog on ESXi”.

To locate the article manually (in case the above link doesn’t work), browse to and enter KB article ID 1016621 in the field labeled “View by Article ID”.

Simple VMware ESXi syslog configuration

While several configuration options are offered by the knowledge base article, I found the simplest method was to specify the syslog server for each host using the VI client. (This works best for one or a few hosts.)

You will need to know the hostname or IP address of your syslog server, and its listening port (if other than the default port 514). Follow these steps to configure ESXi to log to your syslog server.

  1. Log in to your VI client and select the host you wish to configure from the inventory in the left pane.
  2. With the host selected, click the Configuration tab in the right pane.
  3. From the configuration menu on the left side, under Software, select Advanced Settings.
  4. In the Advanced Settings dialog, select Syslog on the left side.
  5. Enter the hostname or IP address of your syslog server in the field labeled Syslog.Remote.Hostname, e.g. or
  6. If your syslog server listens on a port other than the default of 514, enter the port number in the field labeled Syslog.Remote.Port.
  7. Click OK to save your changes.

VMware ESXi setting Syslog.Remote.Hostname

VMware ESXi setting Syslog.Remote.Hostname

After enabling the remote syslog feature in VMware ESXi, make sure to check your syslog server to verify the logs are being collected. You may also want to set your retention period for logs to ensure that you have sufficient history to trace longer-running or intermittent issues.

Other configuration options

The VMware knowledge base article also details methods of enabling remote syslog via vCLI and PowerCLI. If you need to enable this feature on many hosts, using one of these scriptable methods might prove a better option.

The command for enabling remote syslog using the vCLI will look something like this: --server esxhost1 --username root --password MyPassword --setserver --setport 514

For PowerCLI, you would use something like this:

Connect-VIServer HostnameOrIP

Get-VMHost esxhost1 | Set-VMHostSysLogServer -SysLogServer -SysLogServerPort 514

In each case, the command should be all on one line. Adjust the values to suit your environment, and verify success by checking for logs on your syslog server.

Syslog servers

There are many syslog server options, both open source and commercial. Any standards-compliant syslog server should be able to serve as a repository for log collection from remote devices.

If you run an all-Windows shop, you could use something like the free Kiwi Syslog Server from SolarWinds. Paid versions are available with additional features.

Linux and Unix machines typically come with syslogd for local logging installed by default. Generally you will just need to enable remote logging in your syslog config, permit incoming traffic on port 514, and restart syslogd.

A quick online search for e.g. enable remote syslog on [distribution] should yield helpful tips for configuring your distribution.

Shane Brooks, network admin for FICPA, uses OSSEC for log collection and analysis. In addition to log analysis, OSSEC offers security features such as file integrity checking, rootkit detection, and other features that can be helpful for organizations needing to maintain PCI compliance.

Whatever server option you you use, you now know how to configure your VMware ESXi hosts to send system logs to your syslog server.

{ Comments on this entry are closed }