Manual Chapter : SSH proxy permissions

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.0.1, 15.0.0
Manual Chapter

SSH proxy permissions

In an SSH proxy profile, you can configure whether to Allow, Disallow, or Terminate SSH proxy permissions. Non-default action rules include an Unspecified option, which means use the Default Action. You can also choose to log the rule actions.
Channel action
Description
Shell
Defines use of the
shell
command to establish an interactive terminal (command line) session, or shell, on the remote host. It determines whether the SSH proxy allows establishing interactive sessions.
Note that Shell depends on Other. If Other is disabled, users cannot obtain Shell access.
Sub System
Defines the use of the
subsystem
command, to invoke remote commands that are defined on the server over the SSH tunnel. It allows SSH servers to be configured to abstract certain commands and procedures.
SFTP Up
Defines the use of Secure File Transfer Protocol (
sftp
) to upload (
put
) files over the SSH tunnel.
SFTP Down
Defines the use of Secure File Transfer Protocol (
sftp
) to download (
get
) files over the SSH tunnel.
SCP Up
Defines the use of Secure Copy (
scp
) to copy files from a local directory to a remote directory over the SSH tunnel.
SCP Down
Defines the use of Secure Copy (
scp
) to copy files from a remote directory to a local directory over the SSH tunnel.
Rexec
Defines the use of
rexec
remote execution commands over the SSH tunnel. SSH can be configured to deny interactive sessions, while allowing specific commands to execute on the remote host.
Forward Local
Defines the use of the
-L
to do local port forwarding over the SSH tunnel. That way, SSH can be used to set up an encrypted tunnel to a remote host.
Forward Remote
Defines the use of the
-R
to do remote port forwarding over the SSH tunnel. That way, SSH can be used to set up an encrypted tunnel from a remote host.
Forward X11
Defines the use of X11 forwarding over the SSH tunnel.
Agent
Defines the use of
ssh-agent
over the SSH tunnel. Agent forwarding specifies that the chain of SSH connections forwards key challenges back to the original agent, removing the need for passwords or private keys on intermediate machines.
Other
Provides a catch-all category. Any channel type not handled by another permission is handled here. If set to Disallow or Terminate, the following channel types are also affected (Disallowed or Terminated): Shell, Agent, X11, Local port forwarding, and Remote port forwarding.The Lang Env Tolerance setting only takes effect when Other is set to Disallow or Terminate.