rsh - Restricted SHell

rsh is a restricted shell. It allows only the execution of a reduced set of commands specified in the configuration file (/etc/rsh.conf). The aim of rsh is to be used as a connection shell for users with restricted privileges. rsh do not provide any access to the file system. Typically, it can only allow users to change their passwords/personnal informations or them provide an svn+ssh access.

The format of the configuration file is:

• for user message is 'message' : Set the welcome message of 'user' to be 'message'. User can be any valid username or * for everybody.
• for user prompt is 'prompt' : Set the prompt of 'user' to be 'prompt'.
• for user startup command is 'cmd' : Execute command 'cmd' when 'user' get connected.
• for user log into 'file' : Log all the 'user' activity into the file 'file'.
• for user allow [with args] 'real' as 'alias' : When 'user' type the command 'alias', the real command 'real' is executed (with the system default shell, typically /bin/sh). If 'with args' is specified, the real command receives the command line arguments of alias.
• for user allow hidden [with args] 'real' as 'alias' : Same as above except that the command does not appear in the help list (?).

Here is an example :

# Welcome message
for * message is 'Welcome! You are on a restricted shell.'
for root message is '/!\ You are logged as root /!\'

# Prompt
for * prompt is '>: '
for root prompt is '# '

# Make the exit & version builtin commands visible in the help list
for * allow 'exit' as 'exit'
for * allow 'version' as 'version'

# Allow message sending
for * allow 'echo -n "To: " ; read to ; echo -n "Message: " ; read mess ; echo $mess | write $to' as 'write'
for * allow 'mesg y; echo Messages from other users are now permitted' as 'pmesg'
for * allow 'mesg n; echo Messages from other users are now forbidden' as 'fmesg'

for * allow '/usr/bin/clear' as 'cls'

for * allow '/usr/bin/date' as 'date'
for * allow '/usr/bin/who' as 'who'

# Allow password changind except for user 'test'
for * allow '/usr/bin/passwd' as 'passwd'
for test allow 'echo user test can not change his password' as 'passwd'

for * allow '/usr/bin/echo -e "id: $(id)\ngroups: $(/usr/bin/groups)"' as 'infos'

# Allow svn+ssh connections
for * allow hidden with args '/usr/bin/svnserve' as 'svnserve'

# SSH public/private key pair management
#  Enable user to add a key with cat ~/.ssh/id_dsa.pub | ssh LOGIN@SERVER sshkeyadd
for * allow 'mkdir ~/.ssh 2>/dev/null;cat >> ~/.ssh/authorized_keys;echo Added.' as 'sshkeyadd'
for * allow 'mkdir ~/.ssh 2>/dev/null;> ~/.ssh/authorized_keys;echo Cleared.' as 'sshkeyclear'
for * allow 'mkdir ~/.ssh 2>/dev/null;cat ~/.ssh/authorized_keys' as 'sshkeyview'


# Log all rsh activity in /var/log/rsh.log
for * log into '/var/log/rsh.log'


for test log into '/home/test/.rsh.log'

Note: If you want the line edtiting & history support, you must compile rsh with 'make ENABLE_READLINE=1' instead of 'make'.

If enabled, the history is stored in ~/.rsh_history.

Installation

• See the UtilsInstall page for installation instructions.
• You can also browse the subversion repository.