Changing the default behavior of requests arriving from the server and the
client side is possible using the server_request
and
client_request
attributes. All
requests specified in the RFCs are supported. The index of these hashes
is composed of the channel type (e.g.:
session
, see Section 4.20.2.1, Configuring policies for SSH channels for a detailed list), a single
hyphen, and the request name as defined by the SSH protocol specification. E.g.:
session-x11-req
. The possible actions are described
in the following table. See also Section 2.1, Policies for requests and responses.
Action | Description |
---|---|
SSH_REQ_ACCEPT | Accept the request without any modification. |
SSH_REQ_REJECT | Reject the request. |
SSH_REQ_POLICY | Call the function specified to make a decision about the request. |
SSH_REQ_ABORT | Reject the request and terminate the connection. |
Table 4.58. Action codes for SSH channel and global requests.
For complex decisions that are based on the parameters of the requests,
you have to use the SSH_REQ_POLICY
parameter
and create a function within the proxy class that examines and
optionally modifies the parameters.
This custom function can receive the following four attributes:
self
side
The side of the connection relative to PNS:
0
for the client side,1
for the server side.index
The name of the request, e.g.,
x11
,subsystem
, etc.request
A structure that has fields containing the parameters of the request. See Section 4.20.2.3, Parameters of the SSH requests for details on the different request parameters.
See the following example.
Example 4.36. Enabling only SFTP connections |
---|
The following proxy class accepts SFTP connections.
SFTP is a subsystem of SSH, therefore the parameters of the
class SFtponlySshProxy(SshProxy): def config(self): SshProxy.config(self) self.client_channel["session"] = (SSH_CHAN_ACCEPT) self.client_request["session-subsystem"] = (SSH_REQ_POLICY, self.permitSFTPOnly) self.client_request["session-pty-req"] = (SSH_REQ_REJECT) self.client_request["session-shell"] = (SSH_REQ_REJECT) self.client_request["session-exec"] = (SSH_REQ_REJECT) def permitSFTPOnly(self, side, index, request): if request.subsystem == "sftp": return SSH_REQ_ACCEPT return SSH_REQ_REJECT |
© 2021 BalaSys IT Security.
Send your comments to support@balasys.hu