4.20.2.2. Configuring policies for SSH requests

Changing the default behavior of requests arriving from the server and the client side is possible using the server_request and client_request attributes. All requests specified in the RFCs are supported. The index of these hashes is composed of the channel type (e.g.: session, see Section 4.20.2.1, Configuring policies for SSH channels for a detailed list), a single hyphen, and the request name as defined by the SSH protocol specification. E.g.: session-x11-req. The possible actions are described in the following table. See also Section 2.1, Policies for requests and responses.

ActionDescription
SSH_REQ_ACCEPT Accept the request without any modification.
SSH_REQ_REJECT Reject the request.
SSH_REQ_POLICY Call the function specified to make a decision about the request.
SSH_REQ_ABORT Reject the request and terminate the connection.

Table 4.58.  Action codes for SSH channel and global requests.

For complex decisions that are based on the parameters of the requests, you have to use the SSH_REQ_POLICY parameter and create a function within the proxy class that examines and optionally modifies the parameters.

This custom function can receive the following four attributes:

self

side

The side of the connection relative to PNS: 0 for the client side, 1 for the server side.

index

The name of the request, e.g., x11, subsystem, etc.

request

A structure that has fields containing the parameters of the request. See Section 4.20.2.3, Parameters of the SSH requests for details on the different request parameters.

See the following example.

Example 4.36. Enabling only SFTP connections

The following proxy class accepts SFTP connections. SFTP is a subsystem of SSH, therefore the parameters of the session-subsystem request must be examined. (This is for example only, for SFTP only configuration use SshProxySftpOnly predefined class)

class SFtponlySshProxy(SshProxy):
        def config(self):
                SshProxy.config(self)
                self.client_channel["session"] = (SSH_CHAN_ACCEPT)
                self.client_request["session-subsystem"] = (SSH_REQ_POLICY, self.permitSFTPOnly)
                self.client_request["session-pty-req"] = (SSH_REQ_REJECT)
                self.client_request["session-shell"] = (SSH_REQ_REJECT)
                self.client_request["session-exec"] = (SSH_REQ_REJECT)
        def permitSFTPOnly(self, side, index, request):
                if request.subsystem == "sftp":
                    return SSH_REQ_ACCEPT
                return SSH_REQ_REJECT