SSH

Restricting Services

In this example, the user tunnel is restricted to tunneling services while other users have terminal access. All users are denied file transfer service and X11 and agent forwarding.

Note that the users with terminal (shell) access are restricted only in the Tectia Server configuration and can, for example, set up their own port forwardings. For more information, see Tectia Client Privileged User.

Tunneling

Transparent TCP tunneling uses only local tunnels. The tunnels are established based on the configuration of the application being tunneled. For details on the tunneling principles, see Local Tunnels.

The following configuration options of Tectia Server will deny remote tunnels (remote port forwarding) and allow local tunnels (local port forwarding) for all users for example to http://webserver.example.com or https://webserver.example.com.

<services>
  <rule>
    <tunnel-local action="allow">
      <dst fqdn="*.example.com" port="80" />
      <dst fqdn="*.example.com" port="443" />
    </tunnel-local>
    <tunnel-local action="deny" />
    <tunnel-remote action="deny" />
    ...
  </rule>
</services>

Disabling Terminal Access

The following configuration options of Tectia Server will deny terminal access from users in group tunnel.

<services>
  <group name="tunnel">
    <selector>
      <user name="tunnel" />
    </selector>
  </group>
  <rule group="tunnel">
    <terminal action="deny" />
    <subsystem type="sftp" application="sft-server-g3" action="deny" />
    <command action="forced" application="no-shell" />
    ...
  </rule>
  ...
</services>

Denying terminal denies also X11 and agent forwarding and shell commands (unless some commands are explicitly allowed).

The command action in this example provides an alternative method of informing the user of denied shell access using the /bin/no-shell script introduced in Using a Shared Account.

This method can be used if the risk of gaining access via other means than Secure Shell can be eliminated. This way, each user's shell does not have to be set separately, and the setting can be easily scaled to several users.

Using the Tectia Server Configuration GUI, the similar settings can be made under the Services page on the Basic tab. See Basic.

Disabling File Transfers

To deny all users the access to the SFTP server, change the default SFTP subsystem configuration option of Tectia Server to:

...
  <rule>
    ...
    <subsystem type="sftp" action="deny" />
     ...
  </rule>
  ...

Using the Tectia Server Configuration GUI, this can be set under the Services page on the SFTP tab. See SFTP.