Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 8.0 LTS - Getting Started with Safeguard for Privileged Sessions as a Virtual Appliance

Permitting or denying access to SSH channels

For certain protocols, multiple channels are defined each of which is responsible for a specific functionality supported by the protocol. For example, the Session Shell channel is the traditional remote terminal session, while the Session Exec channel allows to execute a remote command (for example rsync without opening a session shell.

For details on the supported SSH channel types, see Supported SSH channel types in the Administration Guide.

SPS can permit/deny access to these functionalities based on various parameters of a connection (for example time of the day, username, and so on) to provide an additional level of access control and protection.

Figure 4: Controlling protocol channels

Access to sub-channels is controlled by channel policies. The default SSH channel policy allows session shell access only.

For details, see Creating and editing channel policies in the Administration Guide.

Configuring SCP and SFTP access in SSH

To configure SCP and SFTP access in SSH

  1. Navigate to Traffic Controls > SSH > Channel Policies and click to create a new channel policy. Enter a name for the policy into the Channel Policy field (for example, shell_and_backup).

  2. Click to add a new channel.

  3. Select Session Exec SCP from the Type field.

  4. Restrict the availability of the channel based on your preferences.

    For details, see Creating and editing channel policies in the Administration Guide.

  5. To be able to extract the original file from the corresponding audit trail for further inspection, select the Record audit trail option to record the activities of the channel into audit trails.

  6. (Optional) To also configure SFTP channel access, add a new channel and repeat the steps above, but this time, select Session SFTP from the Type field.

Authorizing and monitoring a connection personally in real-time

This is called four-eyes authorization in SPS terminology. When four-eyes authorization is required for a connection, a user (called authorizer) must authorize the connection on SPS as well. This authorization is in addition to any authentication or group membership requirements needed for the user to access the remote server. Any connection can use four-eyes authorization, so it provides a protocol-independent, outband authorization and monitoring method.

The authorizer has the possibility to terminate the connection any time, and also to monitor real-time the events of the authorized connections: SPS can stream the traffic to the Safeguard Desktop Player application, where the authorizer (or a separate auditor) can watch exactly what the user does on the server, just like watching a movie.

Figure 5: Four-eyes authorization

For details on four-eyes authorization, see Four-eyes authorization in the Administration Guide.

Configuring four-eyes authorization

To configure four-eyes authorization

  1. To enforce four-eyes authorization, navigate to Traffic Controls > SSH > Connections.

  2. Select the connection policy to modify. Navigate to Access Control and click .

  3. Enter the name of the usergroup whose members are permitted to authorize the sessions of the connection policy into the Authorizer field.

  4. Configure the parameters of four-eyes authorization. For details, see Four-eyes authorization in the Administration Guide.

  5. Navigate to Traffic Controls > SSH > Channel Policies, and select the channel policy used in the connection.

  6. Enable the 4 eyes option for the channels which should be accessed only using four-eyes authorization.

  7. Click Commit.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating