RXSH v1.1

0-Problem description

Need to allow an access from outside to a 3rd party, but you don't want your service to listen public ports?

1-What is RXSH ?

RXSH is Restricted SHell. The letter X was chosen arbitrarily only because there was already 'rsh' (remote shell).

Now that I really think of it. Maybe the X stands for some kind of transmission, just like in RX/TX.

2-What does it do?

Nothing. RXSH is simply totally dumb shell which does absolutely nothing. It takes no input, it'll print uninformative message though.

RXSH quits immediately if any parameters are passed (such as '-c /usr/lib/sftp-server'), so it won't allow SCP/SFTP access. The user is simply allowed to contact listening daemons in the localhost from outside via maintained secure shell connection.

3-So.. why did you do it?

I wanted a shell that will be used to maintain a connection to the server, but that will not allow the user to do anything on the server. It's actually useful only if you don't want to run any service at your public ip address and use ssh forwarded ports instead.

For example, I have mysqld running on localhost ( at the standard port (3306). I only wish to allow connection to this service to only those users who have a connection account on my server.

4-Where to get it?


5-How to compile?


6-How to install?

2 steps:

First: cp rxsh /usr/local/bin
Second: echo /usr/local/bin/rxsh >> /etc/shells

7-How to deploy?

chsh -s /usr/local/bin/rxsh username

8-How to take connection to <service> ?

$ ssh -L localport:localhost:remoteport username@hostname

Now, you only need to command your client software to take connection to localport at localhost.

9-I'm using putty on Windows. How to take connection to MySQL at some host?

c:\> start plink -L 3306:localhost:3306 username@hostname
c:\> mysql -h localhost -u mysqlusername --password=mysqlpassword databasename

10-Is there any support?

Yes, although I don't really know why would you need it, but please send me email if you use this software. You may send me an email at <tomi AT panula-ont DOT to>.

11-Future plans?

Logging maybe.


20081031: Added a feature: Quit immediately if any parameters are passed.


SSH Escape sequences

RXSH does nothing to prevent normal SSH escape sequences, like ~C which opens the command line when written right after the newline. Note that this command line is specific to SSH only and can be used only to modify the forwarded ports, so it's exactly what we want to allow anyway.

SSH version

RXSH is tested with OpenSSH 4.2, protocol version 2 only (should work on version 1, too)


RXSH does not timeout your connection. I have had connections over a week with it without any problems.