SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server >>
    Getting Started >>
        Location of Installed Files >>
        Starting and Stopping the Server >>
        Operation of the Server >>
        SSH Tectia Server (T) >>
            Tunneling User
            Restricting Services
        SSH Tectia Server (A) >>
        SSH Tectia Client >>
        Examples of Use
    Configuration >>
    Authentication >>
    Application Tunneling >>
    Troubleshooting >>
    Man Pages
    Advanced Options >>
    Log Messages >>

Restricting Services

In this example, the user tunnel is restricted to tunneling services while other users have terminal access. All users are denied file transfer service and X11 and agent forwarding.

Please see Section Subconfigurations for information on user-specific configurations if more fine-grained control is needed over the services.

Note that the users with terminal (shell) access are restricted only in the SSH Tectia Server configuration and can, for example, set up their own port forwardings. Please see Section Privileged Users for more information.

Tunneling

SSH Tectia Connector will use only outgoing tunnels. The tunnels are established based on the configuration of the application being tunneled. Please see Section Application Tunneling for details on the tunneling principles.

The following configuration options of SSH Tectia Server will deny incoming tunnels (remote port forwarding) and allow outgoing tunnels (local port forwarding) for all users for example to http://webserver.example.com or https://webserver.example.com.

AllowTcpForwarding       yes
ForwardACL               deny remote .* .*
ForwardACL               allow local .* .*\.example\.com(80|443)

Note that the ForwardACL forward pattern defined with a DNS name does not match if the tunneled application uses IP addresses instead of DNS names for connections. The forward pattern defined with an IP address will match to both.

Please see Section Restricting User Logins for more information on the egrep regular expression syntax used in configurations.

Terminal Access

The following configuration option of SSH Tectia Server will deny the user tunnel terminal access.

Terminal.DenyUsers       tunnel

It is recommended to deny also X11 forwarding and agent forwarding if terminal access is denied as there is no need to allow the functionality:

AllowX11Forwarding       no
AllowAgentForwarding     no

File Transfers

To deny all users the access to the SFTP server, change the default SFTP subsystem configuration option of SSH Tectia Server to:

subsystem-sftp

PreviousNextUp[Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice