For the example use case, we need to override some of the Tectia Server
default settings. This is done by creating an xml-format configuration file
ssh-server-config.xml
.
Create the configuration file by copying and renaming one of the following files (use the settings as a model):
/etc/ssh2/ssh-server-config-example.xml /etc/ssh2/ssh-server-config-tutorial.xml
You can view the default settings in file:
/etc/ssh2/ssh-server-config-default.xml
The following example shows the configuration file with the settings required to produce the use case described in Configuring Tectia Server for Automated Secure File Transfer.
For instructions, see the sections below the configuration file example.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE secsh-server SYSTEM "/opt/tectia/share/auxdata/ssh-server-ng/ssh-server-ng-config-1.dtd" [ <!ENTITY configdir PUBLIC "secsh:directory(config-server)" ""> ]> <secsh-server> <!--This block defines the allowed cryptographic methods--> <!--Keep the default settings--> <params> <crypto-lib mode="standard" /> <hostkey> <private file="&configdir;/hostkey" /> <public file="&configdir;/hostkey.pub" /> </hostkey> <listener id="listener" port="22" /> <limits max-connections="256" max-processes="40" /> </params> <!--This block defines the allowed server authentication methods--> <!--Keep the default settings--> <connections> <connection action="allow"> <cipher name="aes128-cbc" /> <cipher name="aes192-cbc" /> <cipher name="aes256-cbc" /> <cipher name="aes128-ctr" /> <cipher name="aes192-ctr" /> <cipher name="aes256-ctr" /> <cipher name="3des-cbc" /> <cipher name="crypticore128@ssh.com" /> <mac name="hmac-sha1" /> <mac name="hmac-sha1-96" /> <mac name="hmac-sha256-2@ssh.com" /> <mac name="hmac-sha224@ssh.com" /> <mac name="hmac-sha256@ssh.com" /> <mac name="hmac-sha384@ssh.com" /> <mac name="hmac-sha512@ssh.com" /> <mac name="crypticore-mac@ssh.com" /> </connection> </connections> <!--This block defines the allowed user authentication methods--> <!--Allow only public key authentication--> <authentication-methods login-grace-time="600"> <authentication action="allow"> <auth-publickey /> </authentication> </authentication-methods> <!--This block defines first user groups and then a set of rules for each group--> <!--The default settings are applied to users left outside the groups--> <services> <!--Define a group for enforced password changing for users with--> <!--expired passwords.--> <!--Omit this group if you do not want to enforce password changes--> <group name="passwd-change"> <selector> <user-password-change-needed /> </selector> </group> <!--Define a group for privileged users--> <!--Selector is used to define criteria for inclusion into the group--> <group name="admin"> <selector> <user-privileged value="yes" /> </selector> </group> <!--Define a group for SFTP-only users--> <!--The members are listed in a separate group named staff--> <group name="SFTP-users"> <selector> <user-group name="staff" /> </selector> </group> <!--Define the enforced password changing policy--> <!--Omit this group if you do not want to enforce password changes--> <rule group="passwd-change"> <terminal action="deny" /> <command application="/usr/bin/passwd" action="forced" /> <tunnel-local action="deny" /> <tunnel-remote action="deny" /> </rule> <!--Define what the privileged users are allowed to do--> <rule group="admin" idle-timeout="0"> <terminal action="allow" /> <subsystem type="sftp" action="allow" application="sft-server-g3" /> <command action="allow" /> <tunnel-local action="allow" /> <tunnel-remote action="allow" /> </rule> <!--Define what the SFTP-only users are allowed to do--> <rule group="SFTP-users"> <terminal action="deny" /> <subsystem type="sftp" action="allow" application="sft-server-g3" chroot="/home/%username%" /> <command action="deny" /> <tunnel-local action="deny" /> <tunnel-remote action="deny" /> </rule> <!--Define that all actions are denied from the rest of the users--> <rule> <terminal action="deny" /> <subsystem type="sftp" action="deny" application="sft-server-g3" /> <command action="deny" /> <tunnel-local action="deny" /> <tunnel-remote action="deny" /> </rule> </services> </secsh-server>
For information on Tectia Server behavior with expired passwords, see section Configuration File for Tectia Server in Tectia Server Administrator Manual.
To enable public-key authentication on the server, include the
following settings in the ssh-server-config.xml
file, in
the <authentication-methods/>
block:
<authentication action="allow"> <auth-publickey /> </authentication>
When one or more <authentication/>
elements are
defined, only those methods specified in them are applicable. If no
<authentication/>
elements are defined, the default settings
are used.
To restrict the access to the file transfer service, first create user groups and then define rules for them.
In the ssh-server-config.xml
file, define groups with
names admin
and SFTP-users
in the
services
block.
With element <selector/>
, define who belongs to
each group. Group admin
includes all privileged users. Group
SFTP-users
includes those users who are allowed to use the SFTP
service. Attach an existing operating system-related user group, for example
"staff", to the SFTP-users
group.
<group name="admin"> <selector> <user-privileged value="yes" /> </selector> </group> <group name="SFTP-users"> <selector> <user-group name="staff" /> </selector> </group>
Definitions of the XML elements:
Creates a group that can be used as a basis for restricting services. Groups are defined based on selectors.
The name
must be given as an attribute.
The value of name
must be a valid XML name beginning with a
letter and containing alphanumeric characters and underscore characters
without any whitespaces.
This element defines a rule for the specified
group
of users. Rules can be used to restrict the
services and commands the server allows to the users.
The rules are read in order, and the first rule that matches
the user's group
is used. The match must be exact. No
wildcards are allowed in the group
attribute. If no
group
is specified, the rule matches to all users.
<rule group="SFTP-users"> <terminal action="deny" /> <subsystem type="sftp" action="allow" application="sft-server-g3" chroot="/home/%username%" /> <command action="deny" /> <tunnel-local action="deny" /> <tunnel-remote action="deny" /> </rule> <rule> <terminal action="deny" /> <subsystem type="sftp" action="deny" application="sft-server-g3" /> <command action="deny" /> <tunnel-local action="deny" /> <tunnel-remote action="deny" /> </rule>
For the rest of the XML element definitions, see Tectia Server Administrator Manual.
By default, file access by the user using the SFTP subsystem is restricted by the file system access controls. You can define more restrictions by activating chrooting.
Chrooting definitions are made in the ssh-server-config.xml
configuration file.
Folder access can be further restricted by using the
chroot
attribute. The chroot
attribute can be used
with the subsystem
, terminal
, and
command
elements. For more information on chrooting, see
Tectia Server Administrator Manual.
The chroot
attribute must be a directory path. Values
%username%
, %homedir%
, and %hostname%
will be substituted with the user name currently logged in, the user's home
directory, and the FQDN of the connected client, respectively.
An example of chroot
usage is shown below:
<rule group="SFTP-users"> <subsystem type="sftp" action="allow" application="sft-server-g3" chroot="/home/%username%" /> </rule>
Here %username%
will be replaced. For example, for user
user7
, the path would be /home/user7
. During an
SFTP session, user user7
is now restricted to this directory
(and its subdirectories).
Note | |
---|---|
Chrooting the SFTP subsystem affects both SFTP and SCP2 operations to
the server, but it does NOT affect OpenSSH-style SCP operations. To chroot
also OpenSSH SCP, you should chroot the |
You can restrict terminal access so that it is allowed only for users
in group admin
. To disable terminal access from everyone else,
make the following settings in the ssh-server-config.xml
file,
in the services
block:
<rule group="admin"> <terminal action="allow" /> ... </rule> <rule group="SFTP-users"> <terminal action="deny" /> ... </rule> <rule> <terminal action="deny" /> ... </rule>
This setting denies also X11 and agent forwarding and shell commands for the specified group (unless some commands are explicitly allowed).
The users will be able to use SFTP and other subsystems defined in the Tectia Server configuration. Any other "exec" and "shell" requests will be denied for the users. This includes forced commands with public keys and the legacy-style password changing when performed as a forced command.