I need to provide secure file copy to clients, simultaneously forbidding them to log in to our systems. To this effect I’m looking at rssh, the restricted shell for use with OpenSSH and the other alternative known to me, which is scponly. Both tools do their job. rssh is more flexible in its configuration, and I know for a fact that it is also used by some large Internet Service Providers (ISP). Both tools support chroot jails which is good. rssh appears to have the better logging features, but it lacks subdirectories in chroot jails. On the other hand, scponly supports home-directories in the chroot environment with the // syntax (/var/chroot//home/jpm), meaning the chroot jail is in /var/chroot and the initial working directory is in /home/jpm thereunder. Unfortunately, there is no way to lock a user into the jailed home except by restricting permissions of the directories above (more like security through obscurity). I could of course create a chroot for each user, but that is cumbersome and a huge waste of disk space… I’ve tested both tools with OpenSSH’s SFTP, as well as with Windows versions of WinSCP and FileZilla without any issues, but I still have to make up my mind on which to use.

Linux, SSH, and Security :: 28 Sep 2006 :: e-mail