Combining secure shell rights

You can add predefined SSH rights to any role that can be assigned to Active Directory users and can combine different rights for fine-grain control over the specific secure shell operations users are allowed to perform. For Linux and UNIX computers, only the following predefined secure shell session-based rights are available:

  • dzssh-all grants access to all secure shell services.
  • dzssh-direct-tcpip allows local and dynamic port forwarding (ssh-L, ssh -D).
  • dzssh-exec allows command execution.
  • dzssh-scp allows secure copy (scp) operations.
  • dzssh-sftp allows secure file transfer (sftp) operations.
  • dzssh-shell allows secure terminal (tty/pty) connections.
  • dzssh-Subsystem allows an external subsystem except sftp subsystem which has its own right.
  • dzssh-tcpip-forward allows remote port forwarding (ssh -R).
  • dzssh-tunnel allows tunnel device forwarding.
  • dzssh-X11-forwarding allows X11 forwarding.

When combining rights into role definitions, you should keep in mind that some secure shell operations require you to explicitly include the dzssh-exec right. For example, if you include the dzssh-scp right in a role definition, a user might attempt to execute an arbitrary program with a command line similar to following:

ssh troll@localhost scp -S/home/troll/script " -f "

Because this command line presents a potential security risk, the operation is not allowed. To prevent the dzssh-scp right from being used on its own to execute an arbitrary program on a remote computer, the -S command line option is only supported if you also include the dzssh-exec right in the role definition. Similarly, you must explicitly include the dzssh‑exec right in a role definition if you want to support using the dzssh-sftp right with the -S command line option. For security reasons, only the dzssh‑exec right allows the remote execution of a program on a target computer.

If the dzssh-exec right is not included in the role definition when it is required, users will see an “access denied” message.

You should note that you cannot add any secure shell rights to role definitions that allow local users. You can only include them in role definitions for Active Directory users.