Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server >>
    Getting Started >>
        Location of Installed Files >>
        Starting and Stopping the Server >>
        Operation of the Server >>
        SSH Tectia Server (T) >>
            Tunneling User
            Restricting Services
        SSH Tectia Server (A) >>
        SSH Tectia Client >>
        Examples of Use
    Configuration >>
    Authentication >>
    Application Tunneling >>
    Troubleshooting >>
    Man Pages
    Advanced Options >>
    Log Messages >>

Restricting Services

In this example, the user tunnel is restricted to tunneling services while other users have terminal access. All users are denied file transfer service and X11 and agent forwarding.

Please see Section Subconfigurations for information on user-specific configurations if more fine-grained control is needed over the services.

Note that the users with terminal (shell) access are restricted only in the SSH Tectia Server configuration and can, for example, set up their own port forwardings. Please see Section Privileged Users for more information.


SSH Tectia Connector will use only outgoing tunnels. The tunnels are established based on the configuration of the application being tunneled. Please see Section Application Tunneling for details on the tunneling principles.

The following configuration options of SSH Tectia Server will deny incoming tunnels (remote port forwarding) and allow outgoing tunnels (local port forwarding) for all users for example to or

AllowTcpForwarding       yes
ForwardACL               deny remote .* .*
ForwardACL               allow local .* .*\.example\.com(80|443)

Note that the ForwardACL forward pattern defined with a DNS name does not match if the tunneled application uses IP addresses instead of DNS names for connections. The forward pattern defined with an IP address will match to both.

Please see Section Restricting User Logins for more information on the egrep regular expression syntax used in configurations.

Terminal Access

The following configuration option of SSH Tectia Server will deny the user tunnel terminal access.

Terminal.DenyUsers       tunnel

It is recommended to deny also X11 forwarding and agent forwarding if terminal access is denied as there is no need to allow the functionality:

AllowX11Forwarding       no
AllowAgentForwarding     no

File Transfers

To deny all users the access to the SFTP server, change the default SFTP subsystem configuration option of SSH Tectia Server to:


PreviousNextUp[Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now