SSH

Restricting Services

If Tectia Server is used for file transfer only, it is advisable to disable remote commands, tunneling, and terminal access to the server.

On Unix, it is also possible to chroot SFTP. For instructions on that, see Chrooting SFTP.

Enabling the SFTP Subsystem

The secure file transfer subsystem can be defined in the ssh-server-config.xml file:

<services>
  <rule>
    <subsystem type="sftp" application="sft-server-g3" />
   ...
  </rule>
  ...
</services>

Using the Tectia Server Configuration GUI, this can be set under the Services page, on the SFTP tab. See SFTP.

Disabling Tunneling

If you are sure you or your users do not need to create tunnels (possibly going around firewall restrictions or such), you can disable tunneling (port forwarding) altogether by adding the following to the ssh-server-config.xml file:

<services>
  <rule>
   <tunnel-local action="deny" />
   <tunnel-remote action="deny" />
   ...
  </rule>
  ...
</services>

Using the Tectia Server Configuration GUI, these can be set under the Services page, on the Basic tab. See Basic.

If you need more fine-grained control, you can define user groups in the services block and apply the restrictions only to the specified groups.

Tunneling restrictions can be further defined with the src, dst, and listen elements. See Chapter 8 for more information.

Disabling Terminal Access

If you only want to enable file transfers or tunneling for users in group remote-access, you can disable terminal access by adding the following to the ssh-server-config.xml file:

<services>
  <rule group="remote-access">
    <terminal action="deny" />
    ...
  </rule>
  ...
</services>

Using the Tectia Server Configuration GUI, this can be set under the Services page, on the Basic tab. See Basic.

This setting denies also X11 and agent forwarding and shell commands for the specified group (unless some commands are explicitly allowed).

The users will be able to use SFTP and other subsystems defined in the Tectia Server configuration. Any other "exec" and "shell" requests will be denied for the users. This includes forced commands with public keys described in Forced Commands and the legacy style password changing when performed as forced command.

Disabling Remote Commands

If you wish to restrict what users can do with remote commands, we recommend that you set deny as the default action, and then allow only some specific remote commands, if any. This way you do not accidentally leave some unnoticed commands as allowed.

When terminal access is denied, also the remote commands are denied unless you explicitly define the commands as allowed or as forced. With the terminal access denied, it is advisable to allow only some specific commands. If all commands are allowed, the remote command users can perform most of the things they could do with the terminal access allowed. For more information, see command .

Note that restrictions on remote commands apply also to OpenSSH-style SCP operations to the server.

You can disable remote commands totally by adding the following settings to the ssh-server-config.xml file:

<services>
  <rule>
   <command action="deny" />
   <terminal action="deny" />
   ...
  </rule>
  ...
</services>

If you need more fine-grained control, you can define user groups in the services block and apply the restrictions only to the specified groups.

Using the Tectia Server Configuration GUI, remote commands can be disabled under the Services page, on the Basic tab. See Basic.

Defining SFTP Virtual Folders (Windows)

Virtual folders can be used to restrict the folders the user is able to access via SFTP and SCP2. The operating system file permissions are also enforced. The SFTP user must have intended read and write permissions, and at least read and list directory permissions for the parent folder of the virtual folder.

By default, if no virtual folders are explicitly defined in the configuration file, the user can access all drives via SFTP and SCP2 operations, the user's SFTP session starts in the %USERPROFILE% directory, and that is the target directory for SCP2 operations.

When any virtual folders are defined, the user access is limited to the specified folders only. Note that the user's home directory must be under one of the defined virtual folders.

It is also possible to change the SFTP starting directory and the target directory of the SCP2 operations by defining the home attribute in the configuration file. Its value can also contain special strings which are expanded by Tectia Server. These strings are %username% (user's login name), %username-without-domain% (user's login name without the domain part), %homedir% (user's home directory), and %hostname% (the name of the host the user is logging from, reverse mapped from the IP).

[Note]Note

Some special characters such as a slash "/" and a backslash "\" cannot be used in the name of the virtual folder (for example network_share) displayed to the SFTP user.

In case a trailing dollar sign $ is used in the virtual folder destination path (for example \\server\share$), the sign has to be escaped as follows:

network_share=\\server\share$$

The following example sets the starting directory to a user-specific subdirectory under C:\SFTP.

<services>
  <rule>
    <subsystem type="sftp" application="sft-server-g3" action="allow">
      <attribute name="virtual-folder" 
                 value="ftp_home=C:\SFTP\%username-without-domain%" />
      <attribute name="home" value="C:\SFTP\%username-without-domain%" />
    </subsystem>
    ...
  </rule>
  ...
</services>

If the home attribute is included in the configuration file but it is given an empty value, or if a directory that is denied by the virtual folder settings is specified, the session will start in the virtual SFTP root directory.

<services>
  <rule>
    <subsystem type="sftp" application="sft-server-g3" action="allow">
      <attribute name="virtual-folder" value="C:=C:\" />
      <attribute name="home" value="" />
    </subsystem>
   ...
  </rule>
  ...
</services>
[Note]Note

The virtual SFTP root folder is not an actual directory on disk and no files can be written there.

To define custom virtual folders, the virtual-folder attribute can be used in the configuration file. If any virtual folders are defined, the default drive letters are not used. If you still want to use the drive letters, they need to be defined in the configuration file.

The value of virtual folder can contain the same special strings as the value of home (%username%, %username-without-domain%, %homedir%, and %hostname%).

The following example allows access to the C: drive and a user-specific subdirectory under the SFTP parent folder on the D: drive (when a user changes directory to D:, he is actually directed to the user-specific directory). The session starts in the virtual SFTP root folder. No other directory can be accessed via SFTP.

<services>
  <rule>
    <subsystem type="sftp" application="sft-server-g3" action="allow">
      <attribute name="virtual-folder" value="C:=C:\" />
      <attribute name="virtual-folder" value="D:=D:\SFTP\%username%" />
      <attribute name="home" value="" />
    </subsystem>
   ...
  </rule>
  ...
</services>

In the Tectia Server Configuration tool, virtual folders can be set under the Services page on the SFTP tab. See SFTP. The settings in the example above are shown in Figure 7.2.

Defining virtual folders

Figure 7.2. Defining virtual folders