Reflection for Secure IT for UNIX > Secure File Transfer > Configure Upload and Download Access

Configure Upload and Download Access

By default, users have full access to all directories permitted by their login account. You can use AllowSftpCommands to limit what kinds of actions users can perform using sftp and scp. This keyword supports a comma-separated list of one or more of the following: all, none, browse, download, upload, delete, rename. The upload option enables users to modify files, create files, create directories, or modify file attributes on the server. The download option enables users to read file contents.

AllowSftpCommands controls access from commands that use the SFTP subsystem. This includes both scp and sftp commands from Reflection for Secure IT clients and sftp commands from OpenSSH clients. It does not affect scp commands from OpenSSH clients; the OpenSSH scp command does not use the SFTP subsystem; it executes an rcp command through the secure channel.

CAUTION:Client users may have a number of ways to access server files and directories. Factors to consider when configuring your server include session access, tunneling access, and file and directory permissions configured on the system.

To configure upload and download permissions

NOTE:This change affects both scp and sftp transfers.

  1. Open the server configuration file (/etc/ssh2/sshd2_config) in a text editor. (You can also configure this keyword in subconfiguration files.)

  2. Edit the AllowSftpCommands keyword. For example,

    To allow users to view and download files, but disallow any changes to the server files:

    AllowSftpCommands = browse, download

    To allow users to browse and upload files, but not view the contents of files on the server:

    AllowSftpCommands = browse, upload

  3. To prevent file access via terminal sessions or remote command execution (including OpenSSH scp), you can use the SessionRestricted keyword:

    SessionRestricted = subsystem