In this example, the user tunnel
is restricted to tunneling services while
other users have terminal access. All users are denied file transfer service and
X11 and agent forwarding.
Note that the users with terminal (shell) access are restricted only in the SSH Tectia Server configuration and can, for example, set up their own port forwardings. For more information, see SSH Tectia Client Privileged User.
Transparent TCP tunneling uses only local tunnels. The tunnels are established based on the configuration of the application being tunneled. For details on the tunneling principles, see Local Tunnels.
The following configuration options of SSH Tectia Server will deny remote tunnels
(remote port forwarding) and allow local tunnels (local port forwarding) for all
users for example to http://webserver.example.com
or
https://webserver.example.com
.
<services> <rule> <tunnel-local action="allow"> <dst fqdn="*.example.com" port="80" /> <dst fqdn="*.example.com" port="443" /> </tunnel-local> <tunnel-local action="deny" /> <tunnel-remote action="deny" /> ... </rule> </services>
The following configuration options of SSH Tectia Server will deny terminal access
from users in group tunnel
.
<services> <group name="tunnel"> <selector> <user name="tunnel" /> </selector> </group> <rule group="tunnel"> <terminal action="deny" /> <subsystem type="sftp" application="sft-server-g3" action="deny" /> <command action="forced" application="no-shell" /> ... </rule> ... </services>
Denying terminal denies also X11 and agent forwarding and shell commands (unless some commands are explicitly allowed).
The command
action in this example provides an
alternative method of informing the user of denied shell access using
the /bin/no-shell
script introduced in
Using a Shared Account.
This method can be used if the risk of gaining access via other means than Secure Shell can be eliminated. This way, each user's shell does not have to be set separately, and the setting can be easily scaled to several users.
Using the SSH Tectia Server Configuration GUI, the similar settings can be made under the Services page on the Basic tab. See Basic.
To deny all users the access to the SFTP server, change the default SFTP subsystem configuration option of SSH Tectia Server to:
... <rule> ... <subsystem type="sftp" action="deny" /> ... </rule> ...
Using the SSH Tectia Server Configuration GUI, this can be set under the Services page on the SFTP tab. See SFTP.