In this example, the user tunnel
is restricted to tunneling services while
other users have terminal access. All users are denied file transfer service and
X11 and agent forwarding.
Note that the users with terminal (shell) access are restricted only in the SSH Tectia Server configuration and can, for example, set up their own port forwardings. Please see SSH Tectia Client Privileged User for more information.
SSH Tectia Connector will use only outgoing tunnels. The tunnels are established based on the configuration of the application being tunneled. Please see Local Tunnels for details on the tunneling principles.
The following configuration options of SSH Tectia Server will deny incoming tunnels (remote
port forwarding) and allow outgoing tunnels (local port forwarding) for all
users for example to http://webserver.example.com
or
https://webserver.example.com
.
<services> <rule> <tunnel-local action="allow"> <dst fqdn="*.example.com" port="80" /> <dst fqdn="*.example.com" port="443" /> </tunnel-local> <tunnel-local action="deny" /> <tunnel-remote action="deny" /> ... </rule> </services>
The following configuration options of SSH Tectia Server will deny the user
tunnel
terminal access.
<services> <group name="tunnel"> <selector> <user name="tunnel" /> </selector> </group> <rule group="tunnel"> <terminal action="deny" /> <command action="forced" application="no-shell" /> ... </rule> ... </services>
Denying terminal denies also X11 and agent forwarding and shell commands (unless some commands are explicitly allowed).
The command
action in this example provides an
alternative method of informing the user of denied shell access using
the /bin/no-shell
script introduced in
Using a Shared Account.
This method can be used if the risk of gaining access via other means than Secure Shell can be eliminated. This way, each user's shell does not have to be set separately, and the setting can be easily scaled to several users.
Using the SSH Tectia Server Configuration GUI on Windows, the similar settings can be made under the Services page on the Basic tab. See Basic.
To deny all users the access to the SFTP server, change the default SFTP subsystem configuration option of SSH Tectia Server to:
... <rule> ... <subsystem type="sftp" action="deny" /> ... </rule> ...
Using the SSH Tectia Server Configuration GUI on Windows, this can be set under the Services page on the SFTP tab. See SFTP.