login about faq

How can I restrict access to my 4.x Tectia Server?

I would like to for example deny access from certain users.

asked Dec 16 '10 at 12:44

SSH%20KB's gravatar image

SSH KB ♦
509249246237


Please note that 4.x is no longer supported. See http://www.tectia.com/en/Support/Support_Services/End_of_Support_Dates.iw3 for currently supported products.

However, here are some instructions:

Restricting access by host

In SSH Tectia Server for Windows:

  1. Select Start > Programs > SSH Tectia Server > SSH Tectia Server Configuration, and go to the Host Restrictions page under User Authentication.
  2. On this page you can enter comma-separated lists of hosts the server will either allow or deny (see Syntax below).

In SSH Tectia Server for Unix:

  1. Edit the configuration file located at /etc/ssh2/sshd2_config with your preferred text editor.
  2. Locate the keywords AllowHosts and DenyHosts. These keywords are followed by a comma-separated list of hosts that the server will either allow or deny, respectively (see Syntax below).

Note: If any hosts are defined in the Allow login from hosts list, the server will reject connections coming from any other hosts. In other words, make sure that every host you wish to allow is accounted for in the list.

Important: Make sure that the Require reverse DNS mapping option is set to Yes on the Network page under SSH Tectia Server in SSH Tectia Server Configuration (Windows) or that the RequireReverseMapping keyword in /etc/ssh2/sshd2_config is set to yes. This ensures that incoming connections make their originating hostnames known, which is critical for restricting access by host.

Restricting access by user or group

In SSH Tectia Server for Windows:

  1. Select Start > Programs > SSH Tectia Server > SSH Tectia Server Configuration, and go to the User Restrictions page.
  2. On this page you can enter comma-separated lists of users the server will either allow or deny (see Syntax below). If you wish to deny administrator login, clear the appropriate checkbox.

In SSH Tectia Server for Unix:

  1. Edit the configuration file located at /etc/ssh2/sshd2_config with your preferred text editor.
  2. Locate the keywords AllowUsers and DenyUsers. These keywords are followed by a comma-separated list of hosts that the server will either allow or deny, respectively (see Syntax below).

Note: If any user names are defined in the Allow login for users list, the server will reject connections for any other users. In other words, make sure that every user you wish to allow is accounted for in the list.

User and host restriction syntax

By default, the lists of allowed or denied users and hosts follow the egrep regular expression syntax. More information can be found in the sshregex(1) Unix manual page, or under Configuration File Reference > Egrep Syntax section in SSH Tectia Server Administrator's Guide. Also, a wealth of other examples can be found in SSH Tectia Server Administrator's Guide under the Configuration > Restricting User Logins section.

Some examples of allowed hosts:

  • Only allow login from any host from a Finnish domain:
    .*\.fi
  • Only allow login from any host ending in .ssh.com:
    .*\.ssh\.com
  • Only allow login from anything ending either in .example.com or .ssh.com:
    *\.example\.com,.*\.ssh\.com

Some examples of denied hosts:

  • Deny login from hosts ending in .evil.example:
    .*\.evil\.example
  • Deny login from Finnish domains and from hosts ending in .evil.example:
    .*\.fi,.*\.evil\.example

Note: If you want to insert a literal dot "." in the hostname, you must escape it with a backslash: \. An unescaped dot means "any character."

Some examples of allowed users:

  • Only allow user root to log in:
    root
  • Only allow users whose username begins with cool to log in:
    cool.*

Some examples of denied users:

  • Deny user devil coming from evil.example:
    devil@evil\.example
  • Deny user root and any user with UID 1337:
    root,1337

Restricting terminal access

In SSH Tectia Server for Windows:

  1. Select SSH Tectia in Start > Programs > SSH Tectia Server > Server Configuration, and go to the User Restrictions page.
  2. Set the Permit user terminal option to no if you wish nobody to have terminal access, and to admin if you only wish the administrators to have terminal access.

In SSH Tectia Server for Unix:

Note: SSH Tectia Server for Unix does not natively support restricting terminal access. Instead, you must configure the user shell program to one that does not provide terminal functionality, such as false.

On a typical Unix system, the following steps are done:

  1. Edit the file /etc/passwd with your preferred text editor.
  2. Find the user whose terminal access you wish to deny. Set that user's shell to /sbin/nologin or another program with similar functionality.

Important: If you are unsure how to do this, or these steps do not apply, consult your operating system manual. Always test the configuration before taking it to use!

Restricting directory access (chroot)

Note: A terminal "chroot jail" is not natively supported by SSH Tectia Server. Please consult your operating system manual if you wish to restrict user access to specific directories in the terminal environment. In Unix, the traditional way is to use a the program chroot, and in Windows, local user privileges must be configured.

Note: SSH Tectia Server for Windows restricts SFTP users to their home directories by default.

Restricting users to their home directories in the SFTP environment (SSH Tectia Server for Unix):

  1. Open the file /etc/ssh2/sshd2_config with your preferred text editor.
  2. If you wish to chroot by username, enter the usernames you wish to restrict as a comma-separated list after the keyword ChRootUsers.
  3. If you wish to chroot by group, enter the groups you wish to restrict as a comma-separated list after the keyword ChRootGroups.
link

answered Dec 16 '10 at 12:58

SSH%20KB's gravatar image

SSH KB ♦
509249246237

edited Dec 21 '10 at 09:40

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×69
×15
×1

Asked: Dec 16 '10 at 12:44

Seen: 5,606 times

Last updated: Dec 21 '10 at 09:40

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.