pizzashack.org - home of pizzacode

rssh frequently asked questions

Contents

Q: What is rssh?
Q: Why did you write this software?
Q: How do I contact you with bug fixes, questions not answered here, etc.?
Q: Will you send me e-mail when you release an update?
Q: Does rssh support chroot jails?
Q: Why can't I scp/sftp with chroot jails?
Q: When I connect to an account configured to use a chroot jail, I just get a "Connection closed" message. Why?
Q: I'm not compiling with GCC and rssh won't compile?
Q: Why can't I compile on Irix?
Q: Where is the CHROOT file you keep mentioning?
Q: Why does rssh keep dumping core on me?
Q: I set up rssh and it's great! But, can't you also add the ability to run command x?
Q: I support Windows users who can't/won't learn how to use SSH command-line tools. Can't you make rssh work with WinSCP?

Questions and answers

Q: What is rssh?

A: See the rssh homepage.

Q: Why did you write this software?

A: Mainly, because the question of how to restrict access to scp or sftp only kept coming up on a few different mailing lists I was on at the time... Several people made some suggestions (like using a shell script as the user's shell) which sort of work, but aren't terribly secure or reliable. The commercial SSH product has a program to do this, but OpenSSH does not. Joe Boyle has a similar program called scponly, which at the time I looked at it had some security problems, though they have since been fixed... It does currently have some functionality that rssh does not (namely it works with WinSCP; see below), and some that it never will have (more on that in a moment). Obviously I prefer the way I've implemented my program, or else I wouldn't have written it.   =8^)

I did not write this program for my own use; I do not use it today, nor have I ever (though obviously I would if the occasion arose). At the time, I was bored, and I thought this project would be amusing and educational, as well as fill a gap. Please keep this in mind when asking for support. Odds are I'll give it pretty quickly if I've got a free minute, but what you get is what you get, and I won't loose sleep over slow response time. You've been warned.

Q: How do I contact you with bug fixes, questions not answered here, etc.?

A: First, please don't e-mail me privately, unless this is a security issue. Otherwise, I don't answer private e-mail about rssh. Also, don't use the bug reporter or the patch tool on the Sourceforge site. Instead, you should join the Mailing List and post your question there. Note that you must sign up for the mailing list to post. The reasons for all this are so that 1. I can save time by not answering the same questions over and over again, and 2. to keep spam off the list.

Q: Will you send me e-mail when you release an update?

A: Are you serious? I do have a life, you know... If you want to be notified of new releases of rssh, visit its freshmeat page, where you can subscribe to new releases. Whenever I release a new version, I update freshmeat, so you'll be notified if you subscribe. You can also monitor the package from the Sourceforge interface; I send out notifications from there when I upload new releases.

Q: Does rssh support chroot jails?

A: With the 2.0 release, chroot jail support was included. In 2.1 it is configurable on a per-user basis.

Q: Why can't I scp with chroot jails?

Q: When I connect to an account configured to use a chroot jail, I just get a "Connection closed" message. Why?

A: The problem is that you have not set up your chroot jail properly... Something is missing. As I've said numerous times throughout the documentation, setting up a chroot jail is very system dependent, so if you've read the CHROOT file carefully and followed the directions there carefully, and it still doesn't work, then I almost certainly can't help you. But then, if you had done all that, you wouldn't need to be looking here...

Note that if you are using rssh with Solaris 9, FreeBSD, AIX 5.2, or probably other operating systems, you will need to copy your system shell into the chroot jail, because wordexp() uses it to expand command-line arguments on those platforms. See the CHROOT file for more details.

There is a script called mkchroot.sh included with the source and the RPM packages. For most Linux users this should do the job, though it may need some small modifications for paths of some files. However it seems that on recent Linux distros, the script is missing something important, and I haven't yet figured out what that is... If you are able to identify it, please post to the mailing list to let me (and everyone else) know. If you run into this problem, and can't figure out what is missing, I've found that copying all of /lib into the jail seems to fix it. Not an ideal solution, but it works.

Q: I'm not compiling with GCC and rssh won't compile?

A: Upgrade to the latest release, and try again. Let me know if you still have problems.

Q: Why can't I compile on Irix?

A: Upgrade to the latest release, and try again. Let me know if you still have problems.

Q: Where is the CHROOT file you keep mentioning?

A: If you downloaded the source, it's in there. If you installed from RPM, then have a look in /usr/share/doc/rssh-X.X.X/ for it. If you installed from a package distributed by your Linux distribution vendor, look for it wherever they put their documentation files. If all else fails, try using your package manager to list the files included in the rssh package...

Q: Why does rssh keep dumping core on me?

A: If you built rssh for Solaris, and are not using rssh with a version of OpenSSH >= 3.5, then by default the configure script will try to build statically linked binaries. This is next to impossible on Solaris, due to brain damage in Sun's C libraries. Upgrade to OpenSSH 3.5 to fix the problem securely. Or, if that's not an option, you can run the configure script with --disable-static, but this opens a security hole.

If you are already using OpenSSH 3.5 or later, and/or you are not building on Solaris, then you probably installed rssh incorrectly. You are also probably using it with chroot jails. Be sure to read the man page and the INSTALL file, and also the CHROOT file if you are using rssh with chroot jails. If you don't have your jail set up properly, you will definitely see lots of broken behavior, including core dumps.

Q: I set up rssh and it's great! But, can't you also add the ability to run command x?

A: Well, no. Or, actually yeah I could, but I don't want to. There are several reasons for this, and I think they're good ones. The purpose of rssh is to allow system administrators to allow users access to a server via either scp or sftp, or both. This design is simple and clean, and very easy to keep secure.

Aside from the fact that if I added the ability to run all of the x's in people's requests, what you'd end up with would essentially be bash, once you start adding additional commands, or the ability to run arbitrary commands, it becomes much harder, which is to say nearly impossible to keep secure. Too many possible variables. Also, rssh has the ability to chroot. This requires that the binary (or at least a helper program) is SUID root. This only compounds the problem; one little mistake would mean a root compromise.

So sorry, but no. As far as I'm concerned, it defeats the purpose of having the thing in the first place, and also utterly destroys the simplicity of the code. Maybe what you need is some other form of secure shell. Or, feel free to take the code for rssh and modify it any way you like. But please stop asking for this feature, 'cuz it ain't gonna happen.

Oh, another reason is because I'm lazy... Get over it!   =8^)

Q: I support Windows users who can't/won't learn how to use SSH command-line tools. Can't you make rssh work with WinSCP?

A: Absolutely not. It's not because I think Windows is a crappy operating system that should never be used whenever alternatives exist (though that's basically true)... This ties in with the previous question. WinSCP is a bit of a hack (though a good one -- no offense meant to the author) which provides a GUI front end to command-line ssh tools. It requires that the user be able to run commands through ssh to manipulate the file system. There's already a way to do this... with sftp. In order to make rssh work with WinSCP, I'd have to modify rssh to be able to run a number of other commands. This is, IMO, the wrong approach.

Update: Recent versions of WinSCP allow you to use the SFTP protocol. If you use WinSCP with the SFTP protocol, it will work fine with rssh. See the WinSCP documentation for details of configuring it to use the SFTP protocol. If your version of WinSCP does not allow this, download a more recent version.

If you want a GUI front end that works with rssh, that I can provide. Or at least tell you where to get it. Check out FileZilla, which is freeware, or SecureFX, which is commercial. Thanks to Paul C. Bryan for providing me with this information. There are also a number of commercial FTP clients that now also support sftp. WS-FTP Pro is one. There are others. Google is your friend.