Combining Secure Shell Rights
You can add predefined SSH rights to any role that can be assigned to Active Directory users and can combine different rights for fine-grain control over the specific secure shell operations users are allowed to perform. For Linux and UNIX computers, only the following predefined secure shell session-based rights are available:
-
dzssh-all grants access to all secure shell services.
-
dzssh-direct-tcpip allows local and dynamic port forwarding (ssh-L, ssh -D).
-
dzssh-exec allows command execution.
-
dzssh-scp allows secure copy (scp) operations.
-
dzssh-sftp allows secure file transfer (sftp) operations.
-
dzssh-shell allows secure terminal (tty/pty) connections.
-
dzssh-Subsystem allows an external subsystem except sftp subsystem which has its own right.
-
dzssh-tcpip-forward allows remote port forwarding (ssh -R).
-
dzssh-tunnel allows tunnel device forwarding.
-
dzssh-X11-forwarding allows X11 forwarding.
Starting in the Server Suite 2023.1 release, the scp command's default protocol is now the sftp protocol. When scp uses the sftp protocol (the default) it is required to assign dzssh-sftp
to the user. When the scp protocol specifies the -O
option, it is required to assign dzssh-scp
to the user.
When combining rights into role definitions, you should keep in mind that some secure shell operations require you to explicitly include the dzssh-exec right. For example, if you include the dzssh-scp right in a role definition, a user might attempt to execute an arbitrary program with a command line similar to following:
ssh troll@localhost scp -S/home/troll/script " -f "
Because this command line presents a potential security risk, the operation is not allowed. To prevent the dzssh-scp right from being used on its own to execute an arbitrary program on a remote computer, the -S command line option is only supported if you also include the dzssh-exec right in the role definition. Similarly, you must explicitly include the dzsshexec right in a role definition if you want to support using the dzssh-sftp right with the -S command line option. For security reasons, only the dzsshexec right allows the remote execution of a program on a target computer.
If the dzssh-exec right is not included in the role definition when it is required, users will see an “access denied” message.
You should note that you cannot add any secure shell rights to role definitions that allow local users. You can only include them in role definitions for Active Directory users.