cr314 Regular Contributor.
Regular Contributor.

How to configure rule for scp/sftp


    Hello everyone,

    Is it possible to configure rule for scp/sftp service in PAM?

    Thanks in advance.


2 Replies
achinayoung_wau Respected Contributor.
Respected Contributor.

Re: How to configure rule for scp/sftp

I don't see how scp/sftp would work considering ssh works like:

ssh -t -p 2222 [user]@[pam server] [remote user]@[remote host]


Micro Focus Expert
Micro Focus Expert

Re: How to configure rule for scp/sftp

Checkout the uscp binary that is bundled in the PAM Agent install. I believe /usr/bin/uscp. man uscp. Could create a command in cmdctrl and a relevant rule to authorize access. I think you'd want to authorize in a cmdctrl rule, but keep session capture disabled as I think it could potentially include file contents and clog audits.

Otherwise, there is an approach with WinSCP client to use sftp through PAM. Please contact support for more details.

Otherwise, could use linux cpcksh/pcksh shells to go through PAM for authorization of commands and the same cli tools are available in the session, but with full session control capability and audit of commands. Or elevation through usrun similar to sudo and have allowed commands like scp through that.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.