You can do that with an out of band authentication :
1 - the user authenticate to the firewall
2 - if the authentication is successfull, the firewal allows ssh from
this host to the external network.

Landry.



Robert Hajime Lanning a écrit :
> This cannot be done by the firewall. SSH is a opaque encrypted tunnel.
>
> You have to handle this outside the tunnel part. ie. at the client or
> server end.
> Preferably at the server end, where there is more trust.
>
> But how do you give shell without the capability to transfer a file?
> You can't,
> unless you remove the file transfer parts of the server and create a
> restricted
> shell for the user.
>
> $ tar -cf - dir-of-files | ssh servername "tar -xf -"
> $ ssh servername "cat > file.txt" < file.txt
> ...
>
> On 6/26/06, Odaniel, Jim (Mission Systems) wrote:
>> Hi,
>> I have a unique ssh/sftp requirement. I have two networks
>> separated by a firewall. I would like to allow anyone on my "internal"
>> network to ssh to my "external" network but I would like to control who
>> is allowed to sftp/scp files from my internal network to my external
>> network. How can I do this? Is there a way to do this if my firewall
>> doesn't support controlling such an activity? Will setting up some kind
>> of internal proxy/port forwarding server do the trick?
>>
>> The version that I am using is:
>> OpenSSH_4.1, OpenSSL 0.9.7e 25 Oct 2004
>> HP-UX Secure Shell - A.04.00.000
>>
>> Thanks for your help!
>> Jim O'Daniel
>> Unix Systems Administrator Northrop Grumman
>> Jim.odaniel@ngc.com
>>
>>

>
>


--
################################################## ##########
BRUNEL Landry

EPSHOM
CIS/MIC (antenne Toulouse)
42, Ave Gaspard Coriolis
31057 TOULOUSE CEDEX

Email: landry.brunel@shom.fr
Tel : (33) 05 61 43 35 04
Fax : (33) 05 62 14 06 10
################################################## ##########