How to enforce SFTP blind upload with a proxy?
Scenario:
I have the following nodes: a server, a proxy and multiple clients. The clients can initiate connection to the sever through the proxy node, and the server cannot initiate new connections.
I want to enable clients to upload to the server, but blindly. So they can upload content, but can not list or read from the filesystem. I want to enforce these policies on the proxy node.
The clients (Mostly Windows machines) should see an SSHFS mount where they can copy files, but otherwise they always should see it as an empty directory. On the server side the clients have separate users with dedicated directories.
Possible solution
Using One Identity Safeguard for Privileged Sessions (SPS)
SPS allows to set real-time content policies on SSH sessions. These policies are tested against session events. For example, according to the documentation it is possible to forbid WinSCP file transfer via SCP by matching against the WinSCP: this is end-of-file string.
I hope I can match a connection termination policy against the appropriate SFTP events (such as SSH_FXP_OPENDIR, SSH_FXP_REMOVE, SSH_FXP_RENAME and SSH_FXP_READ ), to allow file transfer to only one direction.
I will test this out on free trial SPS hopefully during this week, and update the question, this also depends on others... However, I asked this question, because:
- Documentation didn't stated that it is possible or not.
- Or someone knows a better method for SFTP.
- Or someone knows another file transfer protocol where this can be done.
