different sshd permissions for different ports

different sshd permissions for different ports

Post by Adam Bris » Thu, 21 Feb 2002 02:29:45



I have a CVS repository inside of a firewall, and I want to allow
users to access this repository from the outside world.  I can grant
access by forwarding a port on the firewall to the machine with the
CVS repository without problems.  Since this is a hole in the
firewall, it introduces a security risk into the system.

As an act of extra protection, I would like to stick sshd on two ports
for the CVS machine.  On port 22, sshd would run with a normal level
of security, but on the second port (which is visible to the world), I
would like to restrict all but public key identification.  Putting
sshd on two ports is trivial, but I can't seem to figure out how to
configure them differently.

Is there any way to configure the two ports differently with one
configuration file?

As far as I can tell, settings listed in /etc/sshd.conf cannot be
tailored to specific ports, which means either I give both ports the
same permissions or run two copies of the ssh daemon which look at two
different configuration files.  Either way is ugly and I'd like to
avoid doing that if at all possible.

Is there another clean and easy solution to my problem?

Thanks in advance,
Adam

 
 
 

different sshd permissions for different ports

Post by Matjaz Prelo » Thu, 21 Feb 2002 17:51:33


Quote:> I have a CVS repository inside of a firewall, and I want to allow
> users to access this repository from the outside world.  I can grant
> access by forwarding a port on the firewall to the machine with the
> CVS repository without problems.  Since this is a hole in the
> firewall, it introduces a security risk into the system.

> As an act of extra protection, I would like to stick sshd on two ports
> for the CVS machine.  On port 22, sshd would run with a normal level
> of security, but on the second port (which is visible to the world), I
> would like to restrict all but public key identification.  Putting
> sshd on two ports is trivial, but I can't seem to figure out how to
> configure them differently.

> Is there any way to configure the two ports differently with one
> configuration file?

> As far as I can tell, settings listed in /etc/sshd.conf cannot be
> tailored to specific ports, which means either I give both ports the
> same permissions or run two copies of the ssh daemon which look at two
> different configuration files.  Either way is ugly and I'd like to
> avoid doing that if at all possible.

> Is there another clean and easy solution to my problem?

Yes running two instances of sshd, first one is normal(started from
/etc/rc.d/?/?
- suppose u have linux with AT&T boot style) and another with diffrent
config.
man sshd(on FreeBSD 4.5,don't know for your system) says:

-f configuration_file
             Specifies the name of the configuration file.  The default is
             /etc/ssh/sshd_config.  sshd refuses to start if there is no
con-
             figuration file.

 
 
 

1. wu-ftpd: how do I give different guestusers different overwriting permissions?

I have an ftp server set up on RH7.2 using the wu-ftpd rpm.  I need to
have a number of guestuser accounts, which I have gotten successfully
configured. However, these guest accounts need to have differing
permissions for things like renaming, deleting and overwriting files.
One specific example is that guestuser  "Authors" specifically needs
the ability to "overwrite" existing files in their area, but guestuser
"Reviewers" specifically needs to NOT have that ability.

The "overwrite" directive in /etc/ftpaccess allows you to specify
permissions two ways: by account type (real, guest, or anonymous), or
by different classes. Since both these accounts are guests, its seems
that rules out using the account type.

Its my understanding from the manpage that different classes are
defined by the source address.  However, both these accounts could be
accessed from a huge number of different places, and even from the
same place at different times.  So that looks to rule out class
differentiation.

It seems like this is a situation that must have come up before.  Has
anyone else solved it?  Is there something I'm missing or not
understanding?

2. tcsh Wanted for HP-UX 9.05

3. different screen setup for different terminal?

4. Problem on Aix 4.2.1

5. Apache: different default locations for different users?

6. Assembly in Linux

7. different file names under different shells

8. Help with (pppd) permissions please.

9. different keymaps in different xterms

10. VESA fbdev(s), different modes for different vc's ?

11. different URLs as different users

12. Different backgrounds and other setttings for different workspaces (WindowMaker)

13. 2.5.61 fix different spellings of different and differences