You are not logged in.

Pages: 1

#1 2008-02-13 23:16:52

CaspianXI
Member
Registered: 2007-05-29
Posts: 59

Running multiple ssd daemons

I'm trying to setup two ssh daemons on my machine -- one on port 22 and another on some arbitrary port... say, port 1234. Now, I've configured my iptables so that only trusted machines can access port 22 while other machines can only access port 1234. I want to be able to specify that certain privileged users can only login through port 22, while users logging in through port 1234 can only login using underprivileged users (i.e., I chroot them to /dev/null... j/k)

How would I set up these two ssh daemons? And how would I specify which user can only be logged in through which port? I've tried searching around a bit and found out that it <i>is</i> possible... but I can't find any information on how to do this (other than "Open this distro-specific GUI app...")

Thanks!

Offline

#2 2008-02-14 00:36:22

chimeric
Member
From: Munich, Germany
Registered: 2007-10-07
Posts: 254
Website

Re: Running multiple ssd daemons

Hmmm I have to admit that I don't fully understand what you like to achieve by running two SSH daemons to allow SSH connections from a trusted and an apparently untrusted network, but you can tell the SSH daemon to listen on more than just one port in its configuration file.

On your other question on how to specify which user can only be logged in through which port: Would you mind sharing where you got that information from?

I think you could drop someone into a chroot via .bash_login for example, but I am not sure if you can find out whether this particular user came via SSH, or if he came via SSH, through which port the user came.

Edit: Ok, after reading gorns reply, just forget what I've wrote here wink. Didn't knew about the AllowUsers setting yet (learned something today).

Last edited by chimeric (2008-02-14 09:28:24)

Offline

#3 2008-02-14 01:22:53

gorn
Member
Registered: 2008-02-01
Posts: 56

Re: Running multiple ssd daemons

I haven't done two ssh daemons but I'd recommend just creating two config files and either copying /etc/rc.d/sshd to a new file, or manual starting and passing the -f config-file flag to sshd to tell it to use the alternate (man sshd)

As for limiting users. There is (And i've used) the AllowUsers field in the sshd_config. From man sshd_config:

AllowUsers
              This  keyword  can  be followed by a list of user name patterns,
              separated by spaces.  If specified, login is  allowed  only  for
              user  names that match one of the patterns.  Only user names are
              valid; a numerical user ID is not recognized.  By default, login
              is  allowed  for  all  users.   If  the  pattern  takes the form
              USER@HOST then USER and HOST are separately checked, restricting
              logins   to   particular   users  from  particular  hosts.   The
              allow/deny directives are  processed  in  the  following  order:
              DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

I've setup chroot jails for FTP, but never SSH. It'll be difficult as you need to give them all the binaries they need. And it still won't protect you from things like the recent kernel exploit, though something like grsecurity might. (I haven't played with that in years though, no idea of it's current status. But it could do cool things like limit netstat and ps to only work for certain users. At the kernel level)

Offline

Pages: 1

Board footer

Powered by FluxBB