Re: Unique ssh/sftp requirement

This is a multi-part message in MIME format.

------=_NextPart_000_0094_01C69B66.CD24AC60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
[color=blue]
>Hi,
> I have a unique ssh/sftp requirement. I have two networks
>separated by a firewall. I would like to allow anyone on my "internal"
>network to ssh to my "external" network but I would like to control who
>is allowed to sftp/scp files from my internal network to my external
>network. How can I do this? Is there a way to do this if my firewall
>doesn't support controlling such an activity? Will setting up some =[/color]
kind[color=blue]
>of internal proxy/port forwarding server do the trick?
>
>The version that I am using is:
>OpenSSH_4.1, OpenSSL 0.9.7e 25 Oct 2004
>HP-UX Secure Shell - A.04.00.000[/color]

Hello Jim,

The sftp/scp commands internally make use of ssh for remote connection. =
So=20
you can't control sftp/scp providing access only to ssh. For scp, the =
remote=20
machine (sshd) invoke scp process and for sftp it invokes sftp-server=20
subsystem. So you can completely disable sftp/scp by removing them in =
the=20
remote system. But that happens only after Authenticating the user :(

regards,
Visolve Security Consulting Group.

------=_NextPart_000_0094_01C69B66.CD24AC60
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2523" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>
<DIV>&gt;Hi,<BR>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; I have a =
unique=20
ssh/sftp requirement.&nbsp; I have two networks<BR>&gt;separated by a=20
firewall.&nbsp; I would like to allow anyone on my =
"internal"<BR>&gt;network to=20
ssh to my "external" network but I would like to control who<BR>&gt;is =
allowed=20
to sftp/scp files from my internal network to my =
external<BR>&gt;network.&nbsp;=20
How can I do this?&nbsp; Is there a way to do this if my =
firewall<BR>&gt;doesn't=20
support controlling such an activity?&nbsp; Will setting up some =
kind<BR>&gt;of=20
internal proxy/port forwarding server do the trick?<BR>&gt;<BR>&gt;The =
version=20
that I am using is:<BR>&gt;OpenSSH_4.1, OpenSSL 0.9.7e 25 Oct =
2004<BR>&gt;HP-UX=20
Secure Shell - A.04.00.000<BR><BR>Hello Jim,<BR><BR>The sftp/scp =
commands=20
internally make use of ssh for remote connection. So <BR>you can't =
control=20
sftp/scp providing access only to ssh. For scp, the remote <BR>machine =
(sshd)=20
invoke scp process and for sftp it invokes sftp-server <BR>subsystem. So =
you can=20
completely disable sftp/scp by removing them in the <BR>remote system. =
But that=20
happens only after Authenticating the user :(<BR><BR>regards,<BR>Visolve =

Security Consulting Group.<BR></DIV></DIV></BODY></HTML>

------=_NextPart_000_0094_01C69B66.CD24AC60--