HPE Community
Operating System - OpenVMS
1752780 Members
6113 Online
108789 Solutions
New Discussion юеВ

Re: Selective SFTP

 
Richard kelly_2
Occasional Advisor

тАО06-07-2010 07:12 AM

тАО06-07-2010 07:12 AM

Selective SFTP

I'm running TCPIP 5.4 ECO 7 and I need to be able to enable inbound SFTP connections, but disable inbound interactive ssh terminal sessions (if it can be disabled selectively based on source IP that would be even better). Can that be done in this or any version of SSH on VMS?
0 Kudos
Reply
4 REPLIES 4
John Gillings
Honored Contributor

тАО06-07-2010 02:01 PM

тАО06-07-2010 02:01 PM

Re: Selective SFTP

Richard,

I'm not sure if there are any specific build-in filters to satisfy your exact requirements, but you can do anything you like from SYLOGIN or the LOGIN.COM for the incoming network process.

Source addresses are SYS$REM* logical names. Other attributes of the process and connection are available via lexical functions and/or system services. Experiment with the processes you're interested in, identify those you want to block and LOGOUT from the LOGIN.COM if detected.

One useful trick... if you want to selectively enable or disable filtering by user, GRANT an identifier to the username and use that to decide if the filtering code should be executed.
A crucible of informative mistakes
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО06-07-2010 02:32 PM

тАО06-07-2010 02:32 PM

Re: Selective SFTP

I know nothing, but I see nothing. I gather
that on a typical UNIX system, this sort of
thing is done by setting a user's shell to
some alternate (dummy, fatal) thing (or to
the sftp server program itself), and those
techniques would seem not to apply to VMS.

If one could find an SSH-specific condition
which could be tested in SYLOGIN.COM, then
one might be able to cram some kludgy test of
the user's name and that SSH condition into
that.

The user-name part is easy enough:
f$getjpi( "", "USERNAME")

I'm unaware of any good SSH test. It seems
to be true that SYS$REM_NODE is defined but
f$getdvi( "TT", "TT_ACCPORNAM") is null. So,
if that's true for only an SSH connection,
then perhaps ...

$!
$ bad_ssh_users = "/FRED/SMS/"
$ if ((f$locate( ("/"+ f$edit( f$getjpi( "", "USERNAME"), "TRIM")+ "/"), -
bad_ssh_users) .lt. f$length( bad_ssh_users)) .and. -
(f$trnlnm( "SYS$REM_NODE") .nes. "") .and. -
(f$getdvi( "tt", "tt_accpornam") .eqs. ""))
$ then
write sys$output "SSH session?"
$ logout
$ endif
$!
0 Kudos
Reply
Richard Whalen
Honored Contributor

тАО06-08-2010 11:52 AM

тАО06-08-2010 11:52 AM

Re: Selective SFTP

If this was MultiNet, then I would say to do the following:

In SSHD2_CONFIG. add the following line:

UserSpecificConfig username ssh2_dir:user_config.

In file SSH2_DIR:USER_CONFIG.

SessionRestricted subsystem
0 Kudos
Reply
SDIH1
Frequent Advisor

тАО06-22-2010 07:48 AM

тАО06-22-2010 07:48 AM

Re: Selective SFTP

Most simple is this: put a logout command
in login.com of the sftp user. In TCP Services login.com is run when logging in using ssh, but not when logging in using sftp.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.