SSH

Configuration Settings in ssh-server-config.xml

For the example use case, we need to override some of the Tectia Server default settings. This is done by creating an xml-format configuration file ssh-server-config.xml.

Create the configuration file by copying and renaming one of the following files (use the settings as a model):

/etc/ssh2/ssh-server-config-example.xml
/etc/ssh2/ssh-server-config-tutorial.xml

You can view the default settings in file:

/etc/ssh2/ssh-server-config-default.xml

The following example shows the configuration file with the settings required to produce the use case described in Configuring Tectia Server for Automated Secure File Transfer.

For instructions, see the sections below the configuration file example.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE secsh-server SYSTEM
   "/opt/tectia/share/auxdata/ssh-server-ng/ssh-server-ng-config-1.dtd" [
  <!ENTITY configdir PUBLIC "secsh:directory(config-server)" "">
]>
<secsh-server>

<!--This block defines the allowed cryptographic methods-->
<!--Keep the default settings--> 
 <params>
  <crypto-lib mode="standard" />
  <hostkey>
   <private file="&configdir;/hostkey" />
   <public file="&configdir;/hostkey.pub" />
  </hostkey>
  <listener id="listener" port="22" />
  <limits max-connections="256" max-processes="40" />
  </params>
 
<!--This block defines the allowed server authentication methods--> 
<!--Keep the default settings-->
 <connections>
  <connection action="allow">
   <cipher name="aes128-cbc" />
   <cipher name="aes192-cbc" />
   <cipher name="aes256-cbc" />
   <cipher name="aes128-ctr" />
   <cipher name="aes192-ctr" />
   <cipher name="aes256-ctr" />
   <cipher name="3des-cbc" />
   <cipher name="crypticore128@ssh.com" />
   <mac name="hmac-sha1" />
   <mac name="hmac-sha1-96" />
   <mac name="hmac-sha256-2@ssh.com" />
   <mac name="hmac-sha224@ssh.com" />
   <mac name="hmac-sha256@ssh.com" />
   <mac name="hmac-sha384@ssh.com" />
   <mac name="hmac-sha512@ssh.com" />
   <mac name="crypticore-mac@ssh.com" />
  </connection>
 </connections>

<!--This block defines the allowed user authentication methods--> 
<!--Allow only public key authentication--> 
 <authentication-methods login-grace-time="600">
  <authentication action="allow">
   <auth-publickey />
  </authentication>
 </authentication-methods>
 
<!--This block defines first user groups and then a set of rules for each group--> 
<!--The default settings are applied to users left outside the groups--> 
 <services>
 
<!--Define a group for enforced password changing for users with-->
<!--expired passwords.-->
<!--Omit this group if you do not want to enforce password changes-->
  <group name="passwd-change">
   <selector>
    <user-password-change-needed />
   </selector>
  </group>

<!--Define a group for privileged users-->  
<!--Selector is used to define criteria for inclusion into the group-->
  <group name="admin">
   <selector>
    <user-privileged value="yes" />
   </selector>
  </group>

<!--Define a group for SFTP-only users-->    
<!--The members are listed in a separate group named staff-->    
  <group name="SFTP-users">
   <selector>
    <user-group name="staff" />
   </selector>
  </group>

<!--Define the enforced password changing policy-->
<!--Omit this group if you do not want to enforce password changes-->
    <rule group="passwd-change">
      <terminal action="deny" />
      <command application="/usr/bin/passwd" action="forced" />
      <tunnel-local action="deny" />
      <tunnel-remote action="deny" />
    </rule>

<!--Define what the privileged users are allowed to do-->  
  <rule group="admin" 
        idle-timeout="0">
   <terminal action="allow" />
   <subsystem type="sftp" 
              action="allow" 
              application="sft-server-g3" />
   <command action="allow" />
   <tunnel-local action="allow" />
   <tunnel-remote action="allow" />
  </rule>

<!--Define what the SFTP-only users are allowed to do-->    
  <rule group="SFTP-users">
   <terminal action="deny" />
   <subsystem type="sftp" 
              action="allow" 
              application="sft-server-g3"
              chroot="/home/%username%" />
   <command action="deny" />
   <tunnel-local action="deny" />
   <tunnel-remote action="deny" /> 
  </rule>

<!--Define that all actions are denied from the rest of the users-->      
  <rule>
   <terminal action="deny" />
   <subsystem type="sftp" 
              action="deny" 
              application="sft-server-g3" />
   <command action="deny" />
   <tunnel-local action="deny" />
   <tunnel-remote action="deny" />
  </rule>
 </services>
</secsh-server>

For information on Tectia Server behavior with expired passwords, see section Configuration File for Tectia Server in Tectia Server Administrator Manual.

Enabling Public-Key Authentication

To enable public-key authentication on the server, include the following settings in the ssh-server-config.xml file, in the <authentication-methods/> block:

<authentication action="allow">
  <auth-publickey />
</authentication>

When one or more <authentication/> elements are defined, only those methods specified in them are applicable. If no <authentication/> elements are defined, the default settings are used.

Restricting Access to File Transfer Service

To restrict the access to the file transfer service, first create user groups and then define rules for them.

In the ssh-server-config.xml file, define groups with names admin and SFTP-users in the services block.

With element <selector/>, define who belongs to each group. Group admin includes all privileged users. Group SFTP-users includes those users who are allowed to use the SFTP service. Attach an existing operating system-related user group, for example "staff", to the SFTP-users group.

<group name="admin">
  <selector>
    <user-privileged value="yes" />
  </selector>
</group>

<group name="SFTP-users">
  <selector>
    <user-group name="staff" />
  </selector>
</group>

Definitions of the XML elements:

group

Creates a group that can be used as a basis for restricting services. Groups are defined based on selectors.

The name must be given as an attribute. The value of name must be a valid XML name beginning with a letter and containing alphanumeric characters and underscore characters without any whitespaces.

selector

The selector defines criteria that specify the users that belong to the group.

rule

This element defines a rule for the specified group of users. Rules can be used to restrict the services and commands the server allows to the users.

The rules are read in order, and the first rule that matches the user's group is used. The match must be exact. No wildcards are allowed in the group attribute. If no group is specified, the rule matches to all users.

<rule group="SFTP-users">
  <terminal action="deny" />
  <subsystem type="sftp" 
             action="allow" 
             application="sft-server-g3"
             chroot="/home/%username%" />
  <command action="deny" />
  <tunnel-local action="deny" />
  <tunnel-remote action="deny" /> 
</rule>

<rule>
  <terminal action="deny" />
  <subsystem type="sftp" 
             action="deny" 
             application="sft-server-g3" />
  <command action="deny" />
  <tunnel-local action="deny" />
  <tunnel-remote action="deny" />
</rule>  

For the rest of the XML element definitions, see Tectia Server Administrator Manual.

Restricting Access to Folders

By default, file access by the user using the SFTP subsystem is restricted by the file system access controls. You can define more restrictions by activating chrooting.

Chrooting definitions are made in the ssh-server-config.xml configuration file.

Folder access can be further restricted by using the chroot attribute. The chroot attribute can be used with the subsystem, terminal, and command elements. For more information on chrooting, see Tectia Server Administrator Manual.

The chroot attribute must be a directory path. Values %username%, %homedir%, and %hostname% will be substituted with the user name currently logged in, the user's home directory, and the FQDN of the connected client, respectively.

An example of chroot usage is shown below:

<rule group="SFTP-users">
  <subsystem type="sftp" 
             action="allow" 
             application="sft-server-g3"
             chroot="/home/%username%" />
</rule>

Here %username% will be replaced. For example, for user user7, the path would be /home/user7. During an SFTP session, user user7 is now restricted to this directory (and its subdirectories).

[Note]Note

Chrooting the SFTP subsystem affects both SFTP and SCP2 operations to the server, but it does NOT affect legacy OpenSSH-style SCP operations. To chroot also OpenSSH SCP (version 8 or older), you should chroot the scp1-compat-srv command. For instructions, see Tectia Server Administrator Manual. If you want to deny OpenSSH SCP, you can disable all remote commands as is done in this example.

Restricting Terminal Access

You can restrict terminal access so that it is allowed only for users in group admin. To disable terminal access from everyone else, make the following settings in the ssh-server-config.xml file, in the services block:

<rule group="admin">
  <terminal action="allow" />
...
</rule>

<rule group="SFTP-users">
  <terminal action="deny" />
...
</rule>

<rule>
  <terminal action="deny" />
...
</rule>

This setting denies also X11 and agent forwarding and shell commands for the specified group (unless some commands are explicitly allowed).

The users will be able to use SFTP and other subsystems defined in the Tectia Server configuration. Any other "exec" and "shell" requests will be denied for the users. This includes forced commands with public keys and the legacy-style password changing when performed as a forced command.