| | |
| ||
| ||
     |
SSH Tectia Server configuration is done in the xml-format configuration file
ssh-server-config.xml.
The configuration file is used to override the default settings.
You can check the default settings in the example file
/etc/ssh/ssh-server-config-default.xml.
To edit your SSH Tectia Server configuration file, open the
ssh-server-config.xml file from its default
location in folder /etc/ssh/.
The following example shows the configuration file with the settings required to produce the use case described in Configuring an SFTP Use Case.
For instructions, see the sections below the file example.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE secsh-server SYSTEM
"/etc/ssh2/ssh-tectia/auxdata/ssh-server-ng/ssh-server-ng-config-1.dtd" [
<!ENTITY configdir PUBLIC "secsh:directory(config-server)" "">
]>
<secsh-server>
<!--This block defines the allowed cryptographic methods-->
<!--Keep the default settings-->
<params>
<crypto-lib mode="standard" />
<hostkey>
<private file="&configdir;/hostkey" />
<public file=""&configdir;/hostkey.pub" />
</hostkey>
<listener id="listener" port="22" />
<limits max-connections="256" max-processes="40" />
</params>
<!--This block defines the allowed server authentication methods-->
<!--Keep the default settings-->
<connections>
<connection action="allow">
<cipher name="aes128-cbc" />
<cipher name="aes192-cbc" />
<cipher name="aes256-cbc" />
<cipher name="3des-cbc" />
<cipher name="seed-cbc@ssh.com" />
<cipher name="crypticore128@ssh.com" />
<mac name="hmac-sha1" />
<mac name="hmac-md5" />
<mac name="crypticore-mac@ssh.com" />
</connection>
</connections>
<!--This block defines the allowed user authentication methods-->
<!--Allow only public key authentication-->
<authentication-methods login-grace-time="600">
<authentication action="allow">
<auth-publickey />
</authentication>
</authentication-methods>
<!--This block defines user groups and rules for each group-->
<!--The default settings are applied to users left outside the groups-->
<services>
<!--Define a group for enforced password changing for users with-->
<!--expired passwords.-->
<!--Omit this group if you do not want to enforce password changes.-->
<group name="passwd-change">
<selector>
<user-password-change-needed />
</selector>
</group>
<!--Define a group for privileged users-->
<group name="admin">
<selector>
<user-privileged value="yes" />
</selector>
</group>
<!--Define a group for SFTP-only users-->
<group name="SFTP-users">
<selector>
<user-group name="staff" />
</selector>
</group>
<!--Define the enforced password changing policy.-->
<!--Omit this group if you do not want to enforce password changes.-->
<rule group="passwd-change">
<terminal action="deny" />
<command application="/usr/bin/passwd" action="forced" />
<tunnel-local action="deny" />
<tunnel-remote action="deny" />
</rule>
<!--Define what the privileged users are allowed to do-->
<rule group="admin"
idle-timeout="0">
<terminal action="allow" />
<subsystem type="sftp"
action="allow"
application="sft-server-g3" />
<command action="allow" />
<tunnel-local action="allow" />
<tunnel-remote action="allow" />
</rule>
<!--Define what the SFTP-only users are allowed to do-->
<rule group="SFTP-users">
<terminal action="deny" />
<subsystem type="sftp"
action="allow"
application="sft-server-g3"
chroot="/home/%username%" />
<command action="deny" />
<tunnel-local action="deny" />
<tunnel-remote action="deny" />
</rule>
<!--Define what the rest of the users are allowed to do-->
<rule>
<terminal action="deny" />
<subsystem type="sftp"
action="deny"
application="sft-server-g3" />
<command action="deny" />
<tunnel-local action="deny" />
<tunnel-remote action="deny" />
</rule>
</services>
</secsh-server>
For information on SSH Tectia Server behaviour with expired passwords, see ssh-server-config-xml in SSH Tectia Server Administrator's Manual.
To enable public-key authentication on the server, include the
following settings in the ssh-server-config.xml file, in
the <authentication-methods/> block:
<authentication action="allow"> <auth-publickey /> </authentication>
To be able to restrict the access to the file transfer service, first create user groups and then define rules for them.
In the ssh-server-config.xml file, define groups with
names admin and SFTP-users in the
services block.
With element <selector/>, define who belongs to
each group. Group admin includes all privileged users. Group
SFTP-users includes those users who are allowed to use the SFTP
service. Attach an existing user group, for example "staff", to the
SFTP-users group.
<group name="admin">
<selector>
<user-privileged value="yes" />
</selector>
</group>
<group name="SFTP-users">
<selector>
<user-group name="staff" />
</selector>
</group>
Definitions of the XML elements:
Creates a group that can be used as a basis for restricting services. Groups are defined based on selectors.
The name must be given as an attribute.
The value of name must be a valid XML name beginning with a
letter and containing alphanumeric characters or the underscore character
without any whitespace.
This element defines a rule for the specified
group of users. Rules can be used to restrict the
services and commands the server allows to the users.
The rules are read in order, and the first rule that matches
the user's group is used. The match must be exact. No
wild cards are allowed in the group attribute. If no
group is specified, the rule matches to all users.
<rule group="SFTP-users">
<terminal action="deny" />
<subsystem type="sftp"
action="allow"
application="sft-server-g3"
chroot="/home/%username%" />
<command action="deny" />
<tunnel-local action="deny" />
<tunnel-remote action="deny" />
</rule>
<rule>
<terminal action="deny" />
<subsystem type="sftp"
action="deny"
application="sft-server-g3" />
<command action="deny" />
<tunnel-local action="deny" />
<tunnel-remote action="deny" />
</rule>
By default, file access by the user using the SFTP subsystem is restricted by the file system access controls. You can define more restrictions by activating chrooting.
Chrooting definitions are made in the ssh-server-config.xml
configuration file.
Folder access can be further restricted with the usage of the
chroot attribute. The chroot attribute can be used
with the subsystem, terminal, and
command elements. For more information on chrooting, see
SSH Tectia Server Administrator's Guide.
The chroot attribute must be a directory path. Values
%username%, %homedir%, and
%hostname% will be substituted with the username, user's
home directory, and the FQDN of the connected client, respectively.
An example of chroot usage is shown below:
<rule group="SFTP-users">
<subsystem type="sftp"
action="allow"
application="sft-server-g3"
chroot="/home/%username%" />
</rule>
Here %username% will be replaced. For example, for user
user7, the path would be /home/user7. During an
SFTP session, user user7 is now restricted to this directory
(and its subdirectories).
![[Note]](images/note.gif) | Note |
|---|---|
Chrooting the SFTP subsystem affects both SFTP and SCP2 operations to
the server, but it does NOT affect OpenSSH-style SCP operations. To chroot
also OpenSSH SCP, you should chroot the |
You can restrict terminal access so that it is allowed only for users
in group admin. To disable terminal access from everyone else,
make the following settings in the ssh-server-config.xml file,
in the services block:
<rule group="admin"> <terminal action="allow" /> ... </rule> <rule group="SFTP-users"> <terminal action="deny" /> ... </rule> <rule> <terminal action="deny" /> ... </rule>
This setting denies also X11 and agent forwarding and shell commands for the specified group (unless some commands are explicitly allowed).
The users will be able to use SFTP and other subsystems defined in the SSH Tectia Server configuration. Any other "exec" and "shell" requests will be denied for the users. This includes forced commands with public keys and the legacy style password changing when performed as a forced command.
| |
Copyright 
2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Contact Information