Managerial Approval for SFTP Devices Connections
To enable managerial approval via email or mobile notification for users connecting to devices, the approvalRequiredForConnection property must be set as true on the device group that has the target devices.
When the managerial approval property for the user is set as true, an approval request email is sent to the group manager of the user who attempted to establish the connection. For each attempt, a new approval request email is generated and sent to the manager’s email address.
A parameter can be configured to set a time limit on sending emails for the same connection request:
- Establish an SSH connection to the Kron PAM server.
- Set the required parameter in /u01/sftp_prox/conf/nsso.properties with the commands: cd /u01/sftp_prox/conf/ vi nsso.properties Add/edit the following parameter with the vi editor: nsso.approval.email.timeout = 0 (default value is “0” and the label of the value is seconds.)
- After the parameters are set, save, and exit the vi editor, and restart sftp_prox with the command: systemctl restart pam-sftp
The parameter prevents Kron PAM from sending too many emails to the manager for each repetitive attempt. For example, if this parameter is set to 300 seconds, and a user attempts to connect to a device more than one time in five minutes, only one connection approval request email is sent to the manager. To receive a connection approval request email for each attempt separately, the parameter’s default value of zero can be used.