Enable SFTP Login Interception

When a user logs in to an endpoint using SFTP, the SFTP application uses SSH to authenticate the user. When  intercepts the login attempt from the SFTP application, it treats the login as an SSH login by default.  The product uses the rules for the SSH LOGINAPPL record to permit or deny the login attempt.
capamsc141
When a user logs in to an endpoint using SFTP, the SFTP application uses SSH to authenticate the user. When 
Privileged Access Manager
intercepts the login attempt from the SFTP application, it treats the login as an SSH login by default.  The product uses the rules for the SSH LOGINAPPL record to permit or deny the login attempt.
To configure 
Privileged Access Manager
to distinguish SFTP and SSH login attempts and to write separate rules for SFTP and SSH logins, enable SFTP login interception.
To enable SFTP login interception
  1. Open a command prompt window on the endpoint.
  2. Enter the following selang command:
    er LOGINAPPL SSH loginflags(EXECLOGIN)
    This command specifies that the trigger for SSH logins is the first EXEC action that a process performs.
  3. Enter the following selang command:
    er LOGINAPPL SFTP loginpath(path) defaccess(a) loginpath(path)Specifies the full path to the SFTP login application.
    er LOGINAPPL SFTP loginpath(
    path
    ) defaccess(a)
    • loginpath(
      path
      )
      Specifies the full path to the SFTP login application.
    This command creates a LOGINAPPL record that is named SFTP. The command defines the path to the SFTP login application, and specifies that all users can use SFTP to log in to the endpoint if no additional restrictions exist.
Example: Enable SFTP Login Interception
This example enables SFTP login interception for the SFTP login application located at /usr/libexec/openssh/sftp-server. The first selang command also specifies that 
Privileged Access Manager
uses PAM login interception for SSH logins:
er LOGINAPPL SSH loginflags(EXECLOGIN, PAMLOGIN) er LOGINAPPL SFTP loginpath(/usr/libexec/openssh/sftp-server) defaccess(a)
For more information about the LOGINAPPL class, see the
selang Reference Guide
.