RE: Unique ssh/sftp requirement



You can do that with an out of band authentication :
1 - the user authenticate to the firewall
2 - if the authentication is successfull, the firewal allows
ssh from this host to the external network.

On 6/26/06, Odaniel, Jim (Mission Systems)
<Jim.Odaniel@xxxxxxx> wrote:
Hi,
I have a unique ssh/sftp requirement. I have two networks
separated by a firewall. I would like to allow anyone on
my "internal"
network to ssh to my "external" network but I would like
to control
who is allowed to sftp/scp files from my internal network to my
external network. How can I do this? Is there a way to
do this if
my firewall doesn't support controlling such an activity? Will
setting up some kind of internal proxy/port forwarding
server do the trick?

The version that I am using is:
OpenSSH_4.1, OpenSSL 0.9.7e 25 Oct 2004 HP-UX Secure Shell -
A.04.00.000

I fail to see how using out-of-band authentication solves anything here.

First off, the part about allowing access from the internal to external
networks is easy, either with simple firewall rules, or host-based access
controls such as TCP wrappers, ip filters, etc. Authentication doesn't
really need to come into the picture at this level.

Second, if the goal is to disallow file transfers from those hosts over SSH,
authentication (out-of-band or otherwise) also does nothing to solve the
problem. Once a user is auth'd to SSH, they'll still be able to transfer
files over the SSH tunnel, no matter how they're authenticated.

I think the previous answers were correct here: the closest you'd be able to
get would be to use a restricted shell with no access to the scp commands,
disable sftp, and hope you don't have a user smart enough to figure out
there will still be ways to transfer files no matter how you try to lock it
down.



Relevant Pages

  • Re: Firewall with one-time passwords?
    ... Each user who wishes to ssh to the entry point machine must first ... All the authentication does is to tell the firewall allow ... Your one-time password has to be machine-generated, ...
    (comp.os.linux.security)
  • Re: Firewall with one-time passwords?
    ... Each user who wishes to ssh to the entry point machine must first ... All the authentication does is to tell the firewall allow ... Your one-time password has to be machine-generated, ...
    (comp.security.firewalls)
  • Re: Blocking attacks from spoofed IP addresses
    ... Some of the ssh attacks are distributed. ... key authentication is more difficult to crack, ... other port may also not be practical, ... CIDR blocks at the firewall. ...
    (comp.os.linux.networking)
  • Re: Firewall with one-time passwords?
    ... Each user who wishes to ssh to the entry point machine must first ... All the authentication does is to tell the firewall allow ... that the one-time password authentication program will enable ...
    (comp.os.linux.security)
  • Re: Firewall with one-time passwords?
    ... Each user who wishes to ssh to the entry point machine must first ... All the authentication does is to tell the firewall allow ... that the one-time password authentication program will enable ...
    (comp.security.firewalls)