When a user logs in to an endpoint using SFTP, the SFTP application uses SSH to authenticate the user. When CA ControlMinder intercepts the login attempt from the SFTP application, by default it treats the login as an SSH login and uses the rules for the SSH LOGINAPPL record to permit or deny the login attempt.
To configure CA ControlMinder to distinguish SFTP and SSH login attempts and to write separate rules for SFTP and SSH logins, you must enable SFTP login interception.
To enable SFTP login interception
er LOGINAPPL SSH loginflags(EXECLOGIN)
This command specifies that the trigger for SSH logins is the first EXEC action that a process performs.
er LOGINAPPL SFTP loginpath(path) defaccess(a)
Specifies the full path to the SFTP login application.
This command creates a LOGINAPPL record named SFTP, defines the path to the SFTP login application, and specifies that all users can use SFTP to log in to the endpoint if no additional restrictions exist.
Example: Enable SFTP Login Interception
This example enables SFTP login interception for the SFTP login application located at /usr/libexec/openssh/sftp-server. The first selang command also specifies that CA ControlMinder uses PAM login interception for SSH logins:
er LOGINAPPL SSH loginflags(EXECLOGIN, PAMLOGIN) er LOGINAPPL SFTP loginpath(/usr/libexec/openssh/sftp-server) defaccess(a)
Note: For more information about the LOGINAPPL class, see the selang Reference Guide.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|