4.25.2.1. Configuring policies for SSH channels

The opening of SSH channels from the server and the client side is possible using the server_channel and client_channel hashes. These hashes are indexed by the channel type (e.g.: session). The available channel types are listed in the following table.

NameValue
sessionChannels for terminal shells, remote execution requests (e.g.: scp), and SFTP.
direct-tcpipChannels for client-to-server forwarded connections.
forwarded-tcpipChannels for server-to-client forwarded connections.
auth-agentChannels for forwarding authentication agents.
auth-agent@openssh.comChannels for forwarding authentication agents, as implemented in OpenSSH.
x11Channels for forwarding graphical interfaces.

Table 4.71.  The list of available channel types.

The possible actions are described in the following table. See also Section 2.1, Policies for requests and responses.

ActionDescription
SSH_CHAN_ACCEPT Accept the request without any modification.
SSH_CHAN_REJECT Reject the channel opening request.
SSH_CHAN_POLICY Call the function specified to make a decision about the channel opening request.
SSH_CHAN_ABORT Reject the channel opening request and terminate the connection.

Table 4.72.  Action codes for SSH channel open requests.

Example 4.45. Enabling and disabling SSH channels

The following proxy class accepts only terminal session (shell) connections, and rejects all other channel types.

class ShellonlySshProxy(SshProxy):
        def config(self):
                SshProxy.config(self)
                self.client_channel["session"] = (SSH_CHAN_ACCEPT)
                self.client_channel["session-shell"] = (SSH_CHAN_ACCEPT)
                self.client_channel["*"] = (SSH_CHAN_REJECT)