You can do that with an out of band authentication :
1 - the user authenticate to the firewall
2 - if the authentication is successfull, the firewal allows ssh from
this host to the external network.
Landry.
Robert Hajime Lanning a écrit :
This cannot be done by the firewall. SSH is a opaque encrypted tunnel.
You have to handle this outside the tunnel part. ie. at the client or
server end.
Preferably at the server end, where there is more trust.
But how do you give shell without the capability to transfer a file?
You can't,
unless you remove the file transfer parts of the server and create a
restricted
shell for the user.
$ tar -cf - dir-of-files | ssh servername "tar -xf -"
$ ssh servername "cat > file.txt" < file.txt
...
On 6/26/06, Odaniel, Jim (Mission Systems) <Jim.Odaniel@ngc.com> wrote:
Hi,
I have a unique ssh/sftp requirement. I have two networks
separated by a firewall. I would like to allow anyone on my "internal"
network to ssh to my "external" network but I would like to control who
is allowed to sftp/scp files from my internal network to my external
network. How can I do this? Is there a way to do this if my firewall
doesn't support controlling such an activity? Will setting up some kind
of internal proxy/port forwarding server do the trick?
The version that I am using is:
OpenSSH_4.1, OpenSSL 0.9.7e 25 Oct 2004
HP-UX Secure Shell - A.04.00.000
Thanks for your help!
Jim O'Daniel
Unix Systems Administrator Northrop Grumman
Jim.odaniel@ngc.com
--
############################################################
BRUNEL Landry
EPSHOM
CIS/MIC (antenne Toulouse)
42, Ave Gaspard Coriolis
31057 TOULOUSE CEDEX
Email: landry.brunel@shom.fr
Tel : (33) 05 61 43 35 04
Fax : (33) 05 62 14 06 10
############################################################
