Imagine you are writing a shell script that requires the user to input confidential information, lets say a password.

The user wont feel comfortable if the password is echoed on the screen like a simple text. If you ever used expect interactive scripting, you know for sure this kind of problem.

Don’t worry, its amazingly easy to perform this trick and stop echoing whatever the user types on the screen.

Simply add the following line to your script:

stty -echo

and you are done. The stty output will go offline. Let’s see an example:

#!/bin/bash
echo Hello
stty -echo
# do what ever you want to do
echo 'I slept with your girlfriend'
stty echo
echo Bye
exit 0;

That’s it! Just remember to put it back to normal with the following command:

stty echo

Also, it would be helpful for you to read the whole man page for stty.

$ man stty

This is typical situation, you created users that were intended to stay in their /home environment, however they seem to have a knack of poking around all your server directories.

A restricted shell is a Unix shell that has been modified to allow the Unix shell user to do fewer things than a normal shell would allow him to do. Restricted shells allow you to control the user’s environment allowing only specific admin-aproved commands.

rssh behaves identically to bash with the exception that at least one of the following commands are allowed:

scp – secure copy
sftp – secure FTP
cvs – control versions system
rsync – sync filesystem
rdist – backup utility

Is available through yum in fedora and apt-get in debian. Also you can get a fresh copy from the official website (http://dragontoe.org/rssh/)

In fedora:
# yum install rssh

In Debian:
# apt-get install rssh

Now rssh is installed by default it’s configuration will lock down everything including any sort of access. We need to set up the configuration file. The default file is located at /etc/rssh.conf

For example, I only want to allow only scp and sftp to my server. Also I’m leaving some commented lines for future usage, just in case.

allowscp
allowsftp
#allowcvs
#allowrdist
#allowrsync

There is no rssh service and the configuration is read on the fly.

Next logical step is to add some users.

# useradd -m -d /home/sara -s /usr/bin/rssh sara

Or if the user already exists, use chmod to assign the restricted shell.

# usermod -s /usr/bin/rssh sara

Now, lets say if sara tries to connect the server with ssh or telnet a message like the following will appear.

This account is restricted by rssh.
Allowed commands: scp sftp

If you believe this is in error, please contact your system administrator.

Connection to localhost closed.

rssh is a simple way to implement security on your server and rather than a unbreakable security measure, rssh is just the start to forge a secure server. It should be awesome if you could also include a unix jail or a custom restricting script written in your favorite programming language.

Just remember to never underestimate the ingenuity of your users.

Good luck!