The AccessManager and AccessManagerAdapter interface/implementation has been deprecated in 1.6 and replaced with various, more flexible mechanisms that can achieve the same behavior. Follow the instructions for each method you previously implemented in your 1.4.x or 1.6.x server.
public boolean canConnect(String username);
This has no direct replacement. It was called during authentication and as such can easily be reproduced by denying authentication from your AuthenticationProvider implementations.
public boolean canConnect(SocketAddress remoteAddress, SocketAddress localAddress);
Create an extension of com.maverick.sshd.IPPolicy overriding the method. Then set an instance of this class on the SshContext using setIPPolicy.
protected boolean assertConnection(SocketAddress remoteAddress, SocketAddress localAddress) {
}
public boolean canOpenChannel(String sessionid, String username, Channel channel);
There is no direct replacement for this method. Use the ChannelFactory to control what channels a user has access to.
public boolean canStartShell(String sessionid, String username); public boolean canExecuteCommand(String sessionid, String username, String cmd); public boolean canStartSubsystem(String sessionid, String username, String subsystem);
The methods above have been replaced by a com.maverick.sshd.ShellPolicy object. If you simply want to disable one of the session types then you can use the default ShellPolicy installed on the SshContext and call the following:
// Removes the ability to use the 'execute command' mechanism
sshContext.getShellPolicy().remove(ShellPolicy.EXEC);// Removes the ability to start a shell
sshContext.getShellPolicy().remove(ShellPolicy.SHELL);// Removes the ability to start a subsysystem (i.e. SFTP)
sshContext.getShellPolicy().remove(ShellPolicy.SUBSYSTEM);
If you want complete flexibility over what commands are executed and by whom you can create an extension of ShellPolicy implementing the following method:
protected boolean assertPermission(Connection con, int perm, String... args) {
// The parameter 'perm' represents the type of permission from ShellPolicy.SHELL, ShellPolicy.EXEC or
// ShellPolicy.SUBSYSTEM with the parameter 'args' providing any command or subsystem values
}
public boolean canForward(String sessionid, String username, ForwardingChannel channel, boolean isLocal); public boolean canListen(String sessionid, String username, String bindAddress, int bindPort);
These methods have been replaced by a com.maverick.sshd.ForwardingPolicy object that provides greater control over the forwarding mechanism.
By default, this ForwardingPolicy allows local forwarding to any location and remote forwarding strictly from the localhost interface on the server. Gateway forwarding where the server allows other interfaces and as such other external hosts to connect to forwarding interfaces and utilize remote forwarding configurations. If you want to allow gateway forwarding you can enable this by calling the allowGatewayForwarding method
sshContext.getForwardingPolicy().allowGatewayForwarding();
You can also restrict local forwarding from the client to specific hosts on the server network. To do this you should add one or more host rules using the methods
sshContext.getForwardingPolicy().grantForwarding("build1.sshtools.local");
Once a host forwarding has been granted, only forwarding that has been explicitly granted using this method will be allowed. If you pass just a hostname then any port will be accessible. You can further refine the ports accessible by passing values in the <hostname>:<port> format. For example, the following configuration only allows forwarding to the HTTP, HTTPS ports.
sshContext.getForwardingPolicy().grantForwarding("build1.sshtools.local:80");
sshContext.getForwardingPolicy().grantForwarding("build1.sshtools.local:443");
If you want to revoke a forwarding granted, you can call
sshContext.getForwardingPolicy().revokeForwarding("build.sshtools.local:80");
To remove all forwarding options use
sshContext.getForwardingPolicy().remove(ForwardingPolicy.ALLOW_FORWARDING);
public String[] getRequiredAuthentications(String sessionid, String username);
This method has moved to the AuthenticationMechanismFactory, now taking a single parameter Connection argument.
