> You can do that with an out of band authentication : > 1 - the user authenticate to the firewall > 2 - if the authentication is successfull, the firewal allows > ssh from this host to the external network. > > > > On 6/26/06, Odaniel, Jim (Mission Systems) > <[EMAIL PROTECTED]> wrote: > >> Hi, > >> I have a unique ssh/sftp requirement. I have two networks > >> separated by a firewall. I would like to allow anyone on > my "internal" > >> network to ssh to my "external" network but I would like > to control > >> who is allowed to sftp/scp files from my internal network to my > >> external network. How can I do this? Is there a way to > do this if > >> my firewall doesn't support controlling such an activity? Will > >> setting up some kind of internal proxy/port forwarding > server do the trick? > >> > >> The version that I am using is: > >> OpenSSH_4.1, OpenSSL 0.9.7e 25 Oct 2004 HP-UX Secure Shell - > >> A.04.00.000
I fail to see how using out-of-band authentication solves anything here. First off, the part about allowing access from the internal to external networks is easy, either with simple firewall rules, or host-based access controls such as TCP wrappers, ip filters, etc. Authentication doesn't really need to come into the picture at this level. Second, if the goal is to disallow file transfers from those hosts over SSH, authentication (out-of-band or otherwise) also does nothing to solve the problem. Once a user is auth'd to SSH, they'll still be able to transfer files over the SSH tunnel, no matter how they're authenticated. I think the previous answers were correct here: the closest you'd be able to get would be to use a restricted shell with no access to the scp commands, disable sftp, and hope you don't have a user smart enough to figure out there will still be ways to transfer files no matter how you try to lock it down.
