This is a discussion on RE: Unique ssh/sftp requirement - openssh ; > You can do that with an out of band authentication : > 1 - the user authenticate to the firewall > 2 - if the authentication is successfull, the firewal allows > ssh from this host to the external ...
> You can do that with an out of band authentication :
> 1 - the user authenticate to the firewall
> 2 - if the authentication is successfull, the firewal allows
> ssh from this host to the external network.
> > On 6/26/06, Odaniel, Jim (Mission Systems)
> >> Hi,
> >> I have a unique ssh/sftp requirement. I have two networks
> >> separated by a firewall. I would like to allow anyone on
> my "internal"
> >> network to ssh to my "external" network but I would like
> to control
> >> who is allowed to sftp/scp files from my internal network to my
> >> external network. How can I do this? Is there a way to
> do this if
> >> my firewall doesn't support controlling such an activity? Will
> >> setting up some kind of internal proxy/port forwarding
> server do the trick?
> >> The version that I am using is:
> >> OpenSSH_4.1, OpenSSL 0.9.7e 25 Oct 2004 HP-UX Secure Shell -
> >> A.04.00.000
I fail to see how using out-of-band authentication solves anything here.
First off, the part about allowing access from the internal to external
networks is easy, either with simple firewall rules, or host-based access
controls such as TCP wrappers, ip filters, etc. Authentication doesn't
really need to come into the picture at this level.
Second, if the goal is to disallow file transfers from those hosts over SSH,
authentication (out-of-band or otherwise) also does nothing to solve the
problem. Once a user is auth'd to SSH, they'll still be able to transfer
files over the SSH tunnel, no matter how they're authenticated.
I think the previous answers were correct here: the closest you'd be able to
get would be to use a restricted shell with no access to the scp commands,
disable sftp, and hope you don't have a user smart enough to figure out
there will still be ways to transfer files no matter how you try to lock it