VShell can execute arbitrary commands in response to events such as SFTP file transfers or failed authentication attempts.

VShell’s SFTP server has an access control list (ACL) language that can assign access to individual server directories by any combination of account name or group membership. It can conveniently use the Unix chroot mechanism to restrict users to given directories, as well as define virtual directories that hide details of server file organization from clients.

Again using ACLs, the VShell server can restrict access to services by individual accounts. One account might be allowed full access while another may use only SFTP. One group may do local port forwarding and get interactive sessions with their defined shells, but not remote forwarding or arbitrary remote command execution, except for one user in that group, who still gets full access.

Of course, the efficacy of such measures depends on further work: it does little good to restrict remote commands, for example, if any program can be started by the user’s shell. But VShell provides these restrictions at the right place: in terms of the basic SSH channel types used to invoke the services. Other SSH products ...