In this example, the user
tunnel is restricted to tunneling services while other users have terminal access. All users are denied file transfer service and X11 and agent forwarding.
Please see Section Subconfigurations for information on user-specific configurations if more fine-grained control is needed over the services.
Note that the users with terminal (shell) access are restricted only in the SSH Tectia Server configuration and can, for example, set up their own port forwardings. Please see Section Privileged Users for more information.
SSH Tectia Connector will use only outgoing tunnels. The tunnels are established based on the configuration of the application being tunneled. Please see Section Application Tunneling for details on the tunneling principles.
The following configuration options of SSH Tectia Server will deny incoming tunnels (remote port forwarding) and allow outgoing tunnels (local port forwarding) for all users for example to
ForwardACL deny remote .* .*
ForwardACL allow local .* .*\.example\.com(80|443)
Note that the
ForwardACL forward pattern defined with a DNS name does not match if the tunneled application uses IP addresses instead of DNS names for connections. The forward pattern defined with an IP address will match to both.
Please see Section Restricting User Logins for more information on the egrep regular expression syntax used in configurations.
The following configuration option of SSH Tectia Server will deny the user
tunnel terminal access.
It is recommended to deny also X11 forwarding and agent forwarding if terminal access is denied as there is no need to allow the functionality:
To deny all users the access to the SFTP server, change the default SFTP subsystem configuration option of SSH Tectia Server to: