SSH Tectia

Restricting Services

In this example, the user tunnel is restricted to tunneling services while other users have terminal access. All users are denied file transfer service and X11 and agent forwarding.

Note that the users with terminal (shell) access are restricted only in the SSH Tectia Server configuration and can, for example, set up their own port forwardings. Please see SSH Tectia Client Privileged User for more information.

Tunneling

SSH Tectia Connector will use only local tunnels. The tunnels are established based on the configuration of the application being tunneled. Please see Local Tunnels for details on the tunneling principles.

The following configuration options of SSH Tectia Server will deny remote tunnels (remote port forwarding) and allow local tunnels (local port forwarding) for all users for example to http://webserver.example.com or https://webserver.example.com.

<services>
  <rule>
    <tunnel-local action="allow">
      <dst fqdn="*.example.com" port="80" />
      <dst fqdn="*.example.com" port="443" />
    </tunnel-local>
    <tunnel-local action="deny" />
    <tunnel-remote action="deny" />
    ...
  </rule>
</services>

Disabling Terminal Access

The following configuration options of SSH Tectia Server will deny terminal access from users in group tunnel.

<services>
  <group name="tunnel">
    <selector>
      <user name="tunnel" />
    </selector>
  </group>
  <rule group="tunnel">
    <terminal action="deny" />
    <subsystem type="sftp" application="sft-server-g3" action="deny" />
    <command action="forced" application="no-shell" />
    ...
  </rule>
  ...
</services>

Denying terminal denies also X11 and agent forwarding and shell commands (unless some commands are explicitly allowed).

The command action in this example provides an alternative method of informing the user of denied shell access using the /bin/no-shell script introduced in Using a Shared Account.

This method can be used if the risk of gaining access via other means than Secure Shell can be eliminated. This way, each user's shell does not have to be set separately, and the setting can be easily scaled to several users.

Using the SSH Tectia Server Configuration GUI on Windows, the similar settings can be made under the Services page on the Basic tab. See Basic.

Disabling File Transfers

To deny all users the access to the SFTP server, change the default SFTP subsystem configuration option of SSH Tectia Server to:

...
  <rule>
    ...
    <subsystem type="sftp" action="deny" />
     ...
  </rule>
  ...

Using the SSH Tectia Server Configuration GUI on Windows, this can be set under the Services page on the SFTP tab. See SFTP.