In this example, the user tunnel
is restricted to tunneling services while
other users have terminal access. All users are denied file transfer service and X11 and
agent forwarding.
Note that the users with terminal (shell) access are restricted only in the Tectia Server configuration and can, for example, set up their own port forwardings. For more information, see Tectia Client Privileged User.
Transparent TCP tunneling uses only local tunnels. The tunnels are established based on the configuration of the application being tunneled. For details on the tunneling principles, see Local Tunnels.
The following configuration options of Tectia Server will deny remote tunnels (remote port
forwarding) and allow local tunnels (local port forwarding) for all users for example to
http://webserver.example.com
or
https://webserver.example.com
.
<services> <rule> <tunnel-local action="allow"> <dst fqdn="*.example.com" port="80" /> <dst fqdn="*.example.com" port="443" /> </tunnel-local> <tunnel-local action="deny" /> <tunnel-remote action="deny" /> ... </rule> </services>
The following configuration options of Tectia Server will deny terminal access from users in
group tunnel
.
<services> <group name="tunnel"> <selector> <user name="tunnel" /> </selector> </group> <rule group="tunnel"> <terminal action="deny" /> <subsystem type="sftp" application="sft-server-g3" action="deny" /> <command action="forced" application="no-shell" /> ... </rule> ... </services>
Denying terminal denies also X11 and agent forwarding and shell commands (unless some commands are explicitly allowed).
The command
action in this example provides an alternative method of
informing the user of denied shell access using the /bin/no-shell
script
introduced in Using a Shared Account.
This method can be used if the risk of gaining access via other means than Secure Shell can be eliminated. This way, each user's shell does not have to be set separately, and the setting can be easily scaled to several users.
Using the Tectia Server Configuration GUI, the similar settings can be made under the Services page on the Basic tab. See Basic.
To deny all users the access to the SFTP server, change the default SFTP subsystem configuration option of Tectia Server to:
... <rule> ... <subsystem type="sftp" action="deny" /> ... </rule> ...
Using the Tectia Server Configuration GUI, this can be set under the Services page on the SFTP tab. See SFTP.