Restricting Services
In this example, the user tunnel is restricted to tunneling services while
other users have terminal access. All users are denied file transfer service and
X11 and agent forwarding.
Please see Section Subconfigurations
for information on user-specific configurations if more fine-grained
control is needed over the services.
Note that the users with terminal (shell) access are restricted only in the SSH Tectia Server
configuration and can, for example, set up their own port forwardings.
Please see
Section Privileged Users for more information.
Tunneling
SSH Tectia Connector will use only outgoing tunnels. The tunnels are established based on
the configuration of the application being tunneled. Please see Section Application Tunneling for details on the tunneling principles.
The following configuration options of SSH Tectia Server will deny incoming tunnels (remote
port forwarding) and allow outgoing tunnels (local port forwarding) for all
users for example to http://webserver.example.com or
https://webserver.example.com.
AllowTcpForwarding yes
ForwardACL deny remote .* .*
ForwardACL allow local .* .*\.example\.com(80|443)
|
Note that the ForwardACL forward pattern defined with a DNS name
does not match if the tunneled application uses IP addresses instead of
DNS names for connections. The forward pattern defined with an IP address
will match to both.
Please see Section Restricting User Logins for more information on the egrep regular expression syntax used in
configurations.
Terminal Access
The following configuration option of SSH Tectia Server will deny the user tunnel terminal access.
Terminal.DenyUsers tunnel
|
It is recommended to deny also X11 forwarding and agent forwarding if terminal
access is denied as there is no need to allow the functionality:
AllowX11Forwarding no
AllowAgentForwarding no
|
File Transfers
To deny all users the access to the SFTP server, change the default SFTP
subsystem configuration option of SSH Tectia Server to:
