Ah, but you see, the original poster is asking to have the firewall
differentiate
between ssh and scp/sftp. This is not possible.

The network layer (where the firewall works) sees no difference in the cont=
ent
of an ssh connection vs. an scp/sftp connection. They all work inside an
encrypted tunnel to TCP port 22. SSH was designed to not trust the network=
,
so it leaves almost nothing available to the network.

On 6/28/06, Landry Brunel wrote:
>
> You can do that with an out of band authentication :
> 1 - the user authenticate to the firewall
> 2 - if the authentication is successfull, the firewal allows ssh from
> this host to the external network.
>
> Landry.
>
>
>
> Robert Hajime Lanning a =E9crit :
> > This cannot be done by the firewall. SSH is a opaque encrypted tunnel.
> >
> > You have to handle this outside the tunnel part. ie. at the client or
> > server end.
> > Preferably at the server end, where there is more trust.
> >
> > But how do you give shell without the capability to transfer a file?
> > You can't,
> > unless you remove the file transfer parts of the server and create a
> > restricted
> > shell for the user.
> >
> > $ tar -cf - dir-of-files | ssh servername "tar -xf -"
> > $ ssh servername "cat > file.txt" < file.txt
> > ...
> >
> > On 6/26/06, Odaniel, Jim (Mission Systems) wrote:
> >> Hi,
> >> I have a unique ssh/sftp requirement. I have two networks
> >> separated by a firewall. I would like to allow anyone on my "internal=

"
> >> network to ssh to my "external" network but I would like to control wh=

o
> >> is allowed to sftp/scp files from my internal network to my external
> >> network. How can I do this? Is there a way to do this if my firewall
> >> doesn't support controlling such an activity? Will setting up some ki=

nd
> >> of internal proxy/port forwarding server do the trick?
> >>
> >> The version that I am using is:
> >> OpenSSH_4.1, OpenSSL 0.9.7e 25 Oct 2004
> >> HP-UX Secure Shell - A.04.00.000
> >>
> >> Thanks for your help!
> >> Jim O'Daniel
> >> Unix Systems Administrator Northrop Grumman
> >> Jim.odaniel@ngc.com
> >>
> >>

> >
> >

>
> --
> ################################################## ##########
> BRUNEL Landry
>
> EPSHOM
> CIS/MIC (antenne Toulouse)
> 42, Ave Gaspard Coriolis
> 31057 TOULOUSE CEDEX
>
> Email: landry.brunel@shom.fr
> Tel : (33) 05 61 43 35 04
> Fax : (33) 05 62 14 06 10
> ################################################## ##########
>
>
>



--=20
And, did Guloka think the Ulus were too ugly to save?
-Centauri