Page 1 of 1

protection to sshd subsystem: sftp

PostPosted: Wed Sep 08, 2010 9:33 am
by Shady
Hi all....


My question addresses TCPIP...:
I know I can reserve a port like this..
PORT 22 TCP SSHD* SAF SSHD
where the SAF SSHD identifies the following SERVAUTH profile:
EZB.PORTACCESS.sysname.tcpname.SSHD
This would reserve the port for the SSHD* proc started by the User who have permit to the SSHD resname...

The background is the following...:
SFTP is a subsys of the SSHD. SSHD forks processes in the USS on that port (def. 22).
We want protect SFTP to some users. The problem is that the fork is independent of the users which starts SFTP request because when SSHD started the forks would be permit through the SSHD* user...

So... Perhaps someone have an idea to protect the sftp subsystem to some users like it is done by normal FTP (EZB.FTP.sysname.ftpdaemonname.PORTnnnnn)...?
It haven't to be with a port statement. Maybe someone have an other idea? Preferred with RACF options...

THX
Shady