login about faq

Beginning with Tectia Server 5.0 it is no longer necessary to run multiple instances of the daemon to achieve different configuration for separate use cases.

asked Dec 23 '10 at 15:54

SSH%20KB's gravatar image

SSH KB ♦
509249246237


Tectia Server 5.0 features a flexible configuration logic in XML format that makes it possible to create dynamic server configuration based on different selectors such as user and/or host or network interface. Different server configuration rules can be specified for each user if desired. However in most setups it is possible to use a more scalable selector type to define groups for the <services>. For example, in a use case where administrators should have all possible services such as Terminal Access, Secure File Transfer, and Tunneling once authenticated and non-privileged users only Local Tunneling, one of the following selectors could be used as basis for grouping depending on the environment setup:

privileged user

If the administrators login directly to a privileged user account, the services can be controlled based on this selector on Unix. If the administrators are required to login to a non-privileged account first and once logged in elevate their access right to privileged, other selector has to be used.
 <services>
   <group name="admin">
     <selector>
       <user-privileged value="yes"/>
     </selector>
   </group>

   <!-- in this example the same selector could be used to match  
   the other use case as well but to ensure the default allow rule 
   is not used by accident later on if admin group selectors change, 
   define the fallback group with an empty selector (that will always 
   match) -->

   <group name="other">
     <selector>
     </selector>
   </group>

   <rule group="other">
     <terminal action="deny" />
     <subsystem type="sftp" action="deny">
     </subsystem>
     <tunnel-local action="allow">
     </tunnel-local>
     <tunnel-remote action="deny">
     </tunnel-remote>
   </rule>
 </services>

authentication method

If publickey authentication (plain publickey authentication or certificate authentication) is allowed only for administrators in your environment, the services can be allowed once plain publickey authentication has been completed or based on certificate contents and denied or restricted when any other methods is used. For example with plain publickey authentication the configuration would be:
 <services>
   <group name="admin">
     <selector>
       <publickey-passed />
     </selector>
   </group>

   <!-- define the fallback group with an empty selector 
   (that will always match) -->

   <group name="other">
     <selector>
     </selector>
   </group>

   <rule group="other">
     <terminal action="deny" />
     <subsystem type="sftp" action="deny">
     </subsystem>
     <tunnel-local action="allow">
     </tunnel-local>
     <tunnel-remote action="deny">
     </tunnel-remote>
   </rule>
 </services>

network interface

If the server host has two network interfaces and administrator access should not be allowed from the external network but only from the internal network, the configuration can allow all services for connections through internal network and only Local Tunneling for connections through external network.
 <services>
   <group name="internal_all_services">
     <selector>
       <interface address="10.1.54.19" />
     </selector>
   </group>

   <!-- define the fallback group with an empty selector 
   (that will always match) -->

   <group name="other">
     <selector>
     </selector>
   </group>

   <rule group="other">
     <terminal action="deny" />
     <subsystem type="sftp" action="deny">
     </subsystem>
     <tunnel-local action="allow">
     </tunnel-local>
     <tunnel-remote action="deny">
     </tunnel-remote>
   </rule>
 </services>
For more information on available selectors, please see the Tectia Server Administrator's Guide, the ssh-server-config man pages and ssh-server-config-example.xml example configuration file available in the Tectia Server distribution.
link

answered Dec 23 '10 at 15:58

Alan%20-%20Tectia%20Support's gravatar image

Alan - Tectia Support ♦
236335

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×2
×1

Asked: Dec 23 '10 at 15:54

Seen: 1,081 times

Last updated: Mar 03 '11 at 19:22

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.