Re: Unique ssh/sftp requirement

Fri, 30 Jun 2006 12:55:56 -0700 

Ah, but you see, the original poster is asking to have the firewall
differentiate
between ssh and scp/sftp.  This is not possible.

The network layer (where the firewall works) sees no difference in the content
of an ssh connection vs. an scp/sftp connection.  They all work inside an
encrypted tunnel to TCP port 22.  SSH was designed to not trust the network,
so it leaves almost nothing available to the network.

On 6/28/06, Landry Brunel <[EMAIL PROTECTED]> wrote:


You can do that with an out of band authentication :
1 - the user authenticate to the firewall
2 - if the authentication is successfull, the firewal allows ssh from
this host to the external network.

Landry.



Robert Hajime Lanning a écrit :
> This cannot be done by the firewall.  SSH is a opaque encrypted tunnel.
>
> You have to handle this outside the tunnel part.  ie. at the client or
> server end.
> Preferably at the server end, where there is more trust.
>
> But how do you give shell without the capability to transfer a file?
> You can't,
> unless you remove the file transfer parts of the server and create a
> restricted
> shell for the user.
>
> $ tar -cf - dir-of-files | ssh servername "tar -xf -"
> $ ssh servername "cat > file.txt" < file.txt
> ...
>
> On 6/26/06, Odaniel, Jim (Mission Systems) <[EMAIL PROTECTED]> wrote:
>> Hi,
>>         I have a unique ssh/sftp requirement.  I have two networks
>> separated by a firewall.  I would like to allow anyone on my "internal"
>> network to ssh to my "external" network but I would like to control who
>> is allowed to sftp/scp files from my internal network to my external
>> network.  How can I do this?  Is there a way to do this if my firewall
>> doesn't support controlling such an activity?  Will setting up some kind
>> of internal proxy/port forwarding server do the trick?
>>
>> The version that I am using is:
>> OpenSSH_4.1, OpenSSL 0.9.7e 25 Oct 2004
>> HP-UX Secure Shell - A.04.00.000
>>
>> Thanks for your help!
>> Jim O'Daniel
>> Unix Systems Administrator Northrop Grumman
>> [EMAIL PROTECTED]
>>
>>
>
>

--
############################################################
BRUNEL Landry

EPSHOM
CIS/MIC (antenne Toulouse)
42, Ave Gaspard Coriolis
31057 TOULOUSE CEDEX

Email: [EMAIL PROTECTED]
Tel : (33) 05 61 43 35 04
Fax : (33) 05 62 14 06 10
############################################################






--
And, did Guloka think the Ulus were too ugly to save?
                                        -Centauri

Reply via email to