lshell  0.9.18
About: lshell (Limited Shell) is a Python application that lets you restrict the environment of any SSH user.
  Fossies Dox: lshell_0.9.18.tar.gz  ("inofficial" and yet experimental doxygen-generated source code documentation)  

lshell Documentation

Some Fossies usage hints in advance:

  1. To see the Doxygen generated documentation please click on one of the items in the steelblue colored "quick index" bar above or use the side panel at the left which displays a hierarchical tree-like index structure and is adjustable in width.
  2. If you want to search for something by keyword rather than browse for it you can use the client side search facility (using Javascript and DHTML) that provides live searching, i.e. the search results are presented and adapted as you type in the Search input field at the top right.
  3. Doxygen doesn't incorporate all member files but just a definable subset (basically the main project source code files that are written in a supported language). So to search and browse all member files you may visit the Fossies
  4. lshell_0.9.18.tar.gz contents page and use the Fossies standard member browsing features (also with source code highlighting and additionally with optional code folding).

lshell - limited shell Build Status

lshell is a shell coded in Python, that lets you restrict a user's environment to limited sets of commands, choose to enable/disable any command over SSH (e.g. SCP, SFTP, rsync, etc.), log user's commands, implement timing restriction, and more.

Note: all the below information (and more) can be found in the manpage - man -l man/lshell.1 or man lshell)


1. Install from source
        # on Linux:
        python install --no-compile --install-scripts=/usr/bin/
        # on *BSD:
        python install --no-compile --install-data=/usr/{pkg,local}/
2. On Debian (or derivatives)
        apt-get install lshell
3.  On RHEL (or derivatives)
        yum install lshell


lshell.conf presents a template configuration file. See etc/lshell.conf or man file for more information.

A [default] profile is available for all users using lshell. Nevertheless, you can create a [username] section or a [grp:groupname] section to customize users' preferences.

Order of priority when loading preferences is the following:

  1. User configuration
  2. Group configuration
  3. Default configuration

The primary goal of lshell, is to be able to create shell accounts with ssh access and restrict their environment to a couple a needed commands and path.

For example User 'foo' and user 'bar' both belong to the 'users' UNIX group:

  • User 'foo': - must be able to access /usr and /var but not /usr/local - user all command in his PATH but 'su' - has a warning counter set to 5 - has his home path set to '/home/users'

  • User 'bar': - must be able to access /etc and /usr but not /usr/local - is allowed default commands plus 'ping' minus 'ls' - strictness is set to 1 (meaning he is not allowed to type an unknown command)

In this case, my configuration file will look something like this:

logpath         : /var/log/lshell/
loglevel        : 2

allowed         : ['ls','pwd']
forbidden       : [';', '&', '|'] 
warning_counter : 2
timer           : 0
path            : ['/etc', '/usr']
env_path        : ':/sbin:/usr/foo'
scp             : 1 # or 0
sftp            : 1 # or 0
overssh         : ['rsync','ls']
aliases         : {'ls':'ls --color=auto','ll':'ls -l'}

warning_counter : 5
overssh         : - ['ls']

allowed         : 'all' - ['su']
path            : ['/var', '/usr'] - ['/usr/local']
home_path       : '/home/users'

allowed         : + ['ping'] - ['ls'] 
path            : - ['/usr/local']
strict          : 1
scpforce        : '/home/bar/uploads/'


To launch lshell, just execute lshell specifying the location of your configuration file:

lshell --config /path/to/configuration/file

In order to log a user, you will have to add him to the lshell group:

usermod -aG lshell username

In order to configure a user account to use lshell by default, you must: (you might need to insure that lshell is listed in /etc/shells)

chsh -s /usr/bin/lshell user_name

After this, whichever method is used by the user to log into his account, he will end up using the limited shell you configured for him!


If you want to contribute to this project, please do not hesitate. Open an issue and, if possible, send a pull request.

Please use github for all requests: https://ghantoos/lshell/issues