Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server >>
    Getting Started >>
        Location of Installed Files >>
        Starting and Stopping the Server >>
        Operation of the Server >>
        SSH Tectia Server (T) >>
            Tunneling User
            Restricting Services
        SSH Tectia Server (A) >>
        SSH Tectia Client >>
        Examples of Use
    Configuration >>
    Authentication >>
    Application Tunneling >>
    Troubleshooting >>
    Man Pages
    Advanced Options >>
    Log Messages >>

Restricting Services

In this example, the user tunnel is restricted to tunneling services while other users have terminal access. All users are denied file transfer service and X11 and agent forwarding.

Please see Section Subconfigurations for information on user-specific configurations if more fine-grained control is needed over the services.

Note that the users with terminal (shell) access are restricted only in the SSH Tectia Server configuration and can, for example, set up their own port forwardings. Please see Section Privileged Users for more information.


SSH Tectia Connector will use only outgoing tunnels. The tunnels are established based on the configuration of the application being tunneled. Please see Section Application Tunneling for details on the tunneling principles.

The following configuration options of SSH Tectia Server will deny incoming tunnels (remote port forwarding) and allow outgoing tunnels (local port forwarding) for all users for example to or

AllowTcpForwarding       yes
ForwardACL               deny remote .* .*
ForwardACL               allow local .* .*\.example\.com(80|443)

Note that the ForwardACL forward pattern defined with a DNS name does not match if the tunneled application uses IP addresses instead of DNS names for connections. The forward pattern defined with an IP address will match to both.

Please see Section Restricting User Logins for more information on the egrep regular expression syntax used in configurations.

Terminal Access

The following configuration option of SSH Tectia Server will deny the user tunnel terminal access.

Terminal.DenyUsers       tunnel

It is recommended to deny also X11 forwarding and agent forwarding if terminal access is denied as there is no need to allow the functionality:

AllowX11Forwarding       no
AllowAgentForwarding     no

File Transfers

To deny all users the access to the SFTP server, change the default SFTP subsystem configuration option of SSH Tectia Server to:


PreviousNextUp[Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more