Restrictions to Tunneling
SSH Tectia ConnectSecure can be used to transparently tunnel FTP traffic to the mainframe.
SSH Tectia Client and ConnectSecure can be used to transparently tunnel TN3270 connections
from a Windows workstation to the mainframe. Also other applications can be tunneled
The following examples show how to restrict tunneling services for
certain groups and how to deny terminal and file transfer services.
Please see Section Subconfigurations
for information on user-specific configurations if more fine-grained
control is needed over the services.
Restricting Tunneling
Transparent tunneling with SSH Tectia Client and ConnectSecure uses only local tunnels (port
forwarding). The tunnels are established based on the configuration of the
application being tunneled. Please see SSH Tectia Client User Manual and
SSH Tectia ConnectSecure Administrator Manual for details on the tunneling principles.
The following configuration options of SSH Tectia Server for IBM z/OS will deny remote
port forwarding and allow local port forwarding for all
users for example to http://webserver.example.com
or
https://webserver.example.com
.
AllowTcpForwarding yes
ForwardACL deny remote .* .*
ForwardACL allow local .* .*\.example\.com%(80|443)
|
The format for the value of the ForwardACL
option is the
following:
(allow|deny) (local|remote) user-pat forward-pat [originator-pat]
user-pat
is used to match the client user, in the same way as
in the UserSpecificConfig
option.
With local port forwarding, forward-pat
is a pattern of format
host-id[%port]
. host-id
will match with the target
host of the forwarding, in the same way as in the AllowHosts
option. port
will match the target port. If the client attempts
to open the forwarding using a DNS name, the IP is looked up from the
DNS, which will be used to match the pattern.
Note that the ForwardACL
forward pattern defined with a DNS name
does not match if the tunneled application uses IP addresses instead of
DNS names for connections. The forward pattern defined with an IP address
will match to both.
With local port forwarding, originator-pat
will match the
originator address that the client has reported. However, restrictions
based on the source address of local port forwarding are normally not
reliable because the client can forge the source address.
originator-pat
should be used only if the client can be trusted
(for example, if it is administered by yourself).
If you specify any allow directives, all forwardings in that class
(local or remote) not specifically allowed will be denied. If a
forwarding matches both allow and deny directives, the forwarding will
be denied.
Also, if you have specified any of the options
{Allow,Deny}TcpForwardingFor{Users,Groups}
or
AllowTcpForwarding
, and the forwarding for the user is
disabled with those options, an allow directive will not re-enable the
forwarding for the user.
The following example denies all forwarding for the sftpusers
group. Other users are denied remote forwarding. User root
is
allowed all local forwarding. User tunnelu
is allowed local
forwarding only to the Telnet port (23) of addresses
*.example.com
, and the forwarding must originate from the
client machine local address (127.0.0.1
), it cannot be
forwarded from a third host (this assumes that the client machines are trusted).
AllowTcpForwarding yes
DenyTcpForwardingForGroups sftpusers
ForwardACL deny remote .* .*
ForwardACL allow local root .*
ForwardACL allow local tunnelu .*\.example\.com%23 127.0.0.1
|
Please see Section Restricting User Logins for more information on the egrep regular expression syntax used in
configurations.
Note that the users with terminal (shell) access are restricted only in the SSH Tectia Server
configuration and can, for example, set up their own port forwardings.
Please see
Section System Administration for more information.
Disabling Terminal Access
The following configuration option of SSH Tectia Server for IBM z/OS will deny the user
tunnelu
terminal access.
Terminal.DenyUsers tunnelu
|
Disabling File Transfers
To deny all users the access to the SFTP server, change the default SFTP
subsystem configuration option of SSH Tectia Server for IBM z/OS to: