Previous Topic: Examples: LOGINAPPLNext Topic: Controlling Generic Login Applications


Enable SFTP Login Interception

When a user logs in to an endpoint using SFTP, the SFTP application uses SSH to authenticate the user. When CA ControlMinder intercepts the login attempt from the SFTP application, by default it treats the login as an SSH login and uses the rules for the SSH LOGINAPPL record to permit or deny the login attempt.

To configure CA ControlMinder to distinguish SFTP and SSH login attempts and to write separate rules for SFTP and SSH logins, you must enable SFTP login interception.

To enable SFTP login interception

  1. Open a command prompt window on the endpoint.
  2. Enter the following selang command:
    er LOGINAPPL SSH loginflags(EXECLOGIN)
    

    This command specifies that the trigger for SSH logins is the first EXEC action that a process performs.

  3. Enter the following selang command:
    er LOGINAPPL SFTP loginpath(path) defaccess(a)
    
    loginpath(path)

    Specifies the full path to the SFTP login application.

    This command creates a LOGINAPPL record named SFTP, defines the path to the SFTP login application, and specifies that all users can use SFTP to log in to the endpoint if no additional restrictions exist.

Example: Enable SFTP Login Interception

This example enables SFTP login interception for the SFTP login application located at /usr/libexec/openssh/sftp-server. The first selang command also specifies that CA ControlMinder uses PAM login interception for SSH logins:

er LOGINAPPL SSH loginflags(EXECLOGIN, PAMLOGIN)
er LOGINAPPL SFTP loginpath(/usr/libexec/openssh/sftp-server) defaccess(a)

Note: For more information about the LOGINAPPL class, see the selang Reference Guide.

More information:

LOGINAPPL Class