4.25.2.2. Configuring policies for SSH requests

Changing the default behavior of requests arriving from the server and the client side is possible using the server_request and client_request attributes. All requests specified in the RFCs are supported. The index of these hashes is composed of the channel type (e.g.: session, see Section 4.25.2.1, Configuring policies for SSH channels for a detailed list), a single hyphen, and the request name as defined by the SSH protocol specification. E.g.: session-x11-req. The possible actions are described in the following table. See also Section 2.1, Policies for requests and responses.

Action	Description
SSH_REQ_ACCEPT	Accept the request without any modification.
SSH_REQ_REJECT	Reject the request.
SSH_REQ_POLICY	Call the function specified to make a decision about the request.
SSH_REQ_ABORT	Reject the request and terminate the connection.

Table 4.74. Action codes for SSH channel and global requests.

For complex decisions that are based on the parameters of the requests, you have to use the SSH_REQ_POLICY parameter and create a function within the proxy class that examines and optionally modifies the parameters.

This custom function can receive the following four attributes:

self
side: The side of the connection relative to Zorp: 0 for the client side, 1 for the server side.
index: The name of the request, e.g., x11, subsystem, etc.
request: A structure that has fields containing the parameters of the request. See Section 4.25.2.3, Parameters of the SSH requests for details on the different request parameters.

See the following example.

Example 4.46. Enabling only SFTP connections

Example 4.46. Enabling only SFTP connections
The following proxy class accepts SFTP connections. SFTP is a subsystem of SSH, therefore the parameters of the `session-subsystem` request must be examined. (This is for example only, for SFTP only configuration use SshProxySftpOnly predefined class) class SFtponlySshProxy(SshProxy): def config(self): SshProxy.config(self) self.client_channel["session"] = (SSH_CHAN_ACCEPT) self.client_request["session-subsystem"] = (SSH_REQ_POLICY, self.permitSFTPOnly) self.client_request["session-pty-req"] = (SSH_REQ_REJECT) self.client_request["session-shell"] = (SSH_REQ_REJECT) self.client_request["session-exec"] = (SSH_REQ_REJECT) def permitSFTPOnly(self, side, index, request): if request.subsystem == "sftp": return SSH_REQ_ACCEPT return SSH_REQ_REJECT

The following proxy class accepts SFTP connections. SFTP is a subsystem of SSH, therefore the parameters of the session-subsystem request must be examined. (This is for example only, for SFTP only configuration use SshProxySftpOnly predefined class)

class SFtponlySshProxy(SshProxy):
        def config(self):
                SshProxy.config(self)
                self.client_channel["session"] = (SSH_CHAN_ACCEPT)
                self.client_request["session-subsystem"] = (SSH_REQ_POLICY, self.permitSFTPOnly)
                self.client_request["session-pty-req"] = (SSH_REQ_REJECT)
                self.client_request["session-shell"] = (SSH_REQ_REJECT)
                self.client_request["session-exec"] = (SSH_REQ_REJECT)
        def permitSFTPOnly(self, side, index, request):
                if request.subsystem == "sftp":
                    return SSH_REQ_ACCEPT
                return SSH_REQ_REJECT

Previous	Up	Next
	Home

Zorp Professional 7 Reference Guide

4.25.2. Proxy behavior

4.25.2.2. Configuring policies for SSH requests