Enable SFTP Login Interception
When a user logs in to an endpoint using SFTP, the SFTP application uses SSH to authenticate the user. When CA ControlMinder intercepts the login attempt from the SFTP application, by default it treats the login as an SSH login and uses the rules for the SSH LOGINAPPL record to permit or deny the login attempt.
cminder12901
When a user logs in to an endpoint using SFTP, the SFTP application uses SSH to authenticate the user. When CA ControlMinder intercepts the login attempt from the SFTP application, by default it treats the login as an SSH login and uses the rules for the SSH LOGINAPPL record to permit or deny the login attempt.
To configure CA ControlMinder to distinguish SFTP and SSH login attempts and to write separate rules for SFTP and SSH logins, you must enable SFTP login interception.
To enable SFTP login interception
- Open a command prompt window on the endpoint.
- Enter the following selang command:
This command specifies that the trigger for SSH logins is the first EXEC action that a process performs.er LOGINAPPL SSH loginflags(EXECLOGIN) - Enter the following selang command:
er LOGINAPPL SFTP loginpath(er LOGINAPPL SFTP loginpath(path) defaccess(a) loginpath(path)Specifies the full path to the SFTP login application.path) defaccess(a)- loginpath(path)Specifies the full path to the SFTP login application.
Example: Enable SFTP Login Interception
This example enables SFTP login interception for the SFTP login application located at /usr/libexec/openssh/sftp-server. The first selang command also specifies that CA ControlMinder uses PAM login interception for SSH logins:
er LOGINAPPL SSH loginflags(EXECLOGIN, PAMLOGIN) er LOGINAPPL SFTP loginpath(/usr/libexec/openssh/sftp-server) defaccess(a)
For more information about the LOGINAPPL class, see the
selang Reference Guide
.