Enable SFTP Login Interception
When a user logs in to an endpoint using SFTP, the SFTP application uses SSH to authenticate the user. When intercepts the login attempt from the SFTP application, it treats the login as an SSH login by default. The product uses the rules for the SSH LOGINAPPL record to permit or deny the login attempt.
cminder140
When a user logs in to an endpoint using SFTP, the SFTP application uses SSH to authenticate the user. When
Privileged Access Manager Server Control
intercepts the login attempt from the SFTP application, it treats the login as an SSH login by default. The product uses the rules for the SSH LOGINAPPL record to permit or deny the login attempt.To configure
Privileged Access Manager Server Control
to distinguish SFTP and SSH login attempts and to write separate rules for SFTP and SSH logins, enable SFTP login interception.To enable SFTP login interception
- Open a command prompt window on the endpoint.
- Enter the following selang command:er LOGINAPPL SSH loginflags(EXECLOGIN)This command specifies that the trigger for SSH logins is the first EXEC action that a process performs.
- Enter the following selang command:er LOGINAPPL SFTP loginpath(path) defaccess(a) loginpath(path)Specifies the full path to the SFTP login application.er LOGINAPPL SFTP loginpath(path) defaccess(a)
- loginpath(path)Specifies the full path to the SFTP login application.
Example: Enable SFTP Login Interception
This example enables SFTP login interception for the SFTP login application located at /usr/libexec/openssh/sftp-server. The first selang command also specifies that
Privileged Access Manager Server Control
uses PAM login interception for SSH logins:er LOGINAPPL SSH loginflags(EXECLOGIN, PAMLOGIN) er LOGINAPPL SFTP loginpath(/usr/libexec/openssh/sftp-server) defaccess(a)
For more information about the LOGINAPPL class, see the
selang Reference Guide
.