Re: embedding sshd into a server
From: Dale Dellutri (ddelQQQlutr_at_panQQQix.com)
Date: 09/15/05
- Previous message: The_Collapser: "Re: Openssh for Windows: Key Auth and Pass"
- In reply to: thablobulus: "embedding sshd into a server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 15 Sep 2005 14:40:33 +0000 (UTC)
On Tue, 13 Sep 2005 20:16:00 -0500, thablobulus <thablobulus@yahoo.com> wrote:
> I have a server that, among other things, listens on a socket where
> admins can connect to issue commands. Right now it listens on a
> configurable IP/port with no authentication. I'd like to secure it.
> What I envisioned is, have the server fork and exec an sshd process that
> listens on a special port (so it doesn't conflict with the system sshd).
> When an ssh clients connects to the special sshd port and authenticates
> successfully, here is what I want to happen: instead of opening a shell
> or executing a command specified by the client, I want sshd to turn into
> a dumb proxy that connects its own stdin/stdout to the client socket.
> (The stdin/stdout are already set up as pipes to the parent server process).
> Is something like this possible?
Yes, probably. I did something similar by setting up a second ssh
service which forces its users into a special program at login.
Without going into too much detail, I did the following on a RH9
system:
1. Copy the normal ssh config files to a new "privatessh" config:
cd /etc/ssh
cp -p ssh_config privatessh_config
cp -p sshd_config privatesshd_config
Then modify the new config files as necessary.
2. Copy the ssh init script:
cd /etc/rc.d/init.d
cp -p sshd privatesshd
and modify as required.
3. Copy the ssh daemon and the pam module:
cd /usr/sbin
cp -p sshd privatesshd
cd /etc/pam.d
cp -p sshd privatesshd
Do not modify.
At this point you have a new, private ssh daemon available. You can
start it (again, remember this is RH9):
chkconfig --add privatesshd
chkconfig --level 2345 privatesshd on
service privatesshd start
This should create the necessary keys.
Restricting what the users can do with this new private ssh depends on
changes to the various files that were created, especially the config
and pam files. A simple way to force a certain command is to change
the location of the authorized keys file (in /etc/privatesshd_config):
AuthorizedKeysFile /<somenewpath>/authorized_keys
to a file owned by root, then add a:
command="/<somepath>/<someprogram>"
phrase to the user's authorized key. And make sure that the only
authentication method is the authorized key.
There are other ways, also. You could create a new user for each
admin and make sure that user is forced to a certain command at login
instead of /bin/bash.
ssh is quite a flexible system! Thank you, OpenSSH developers.
-- Dale Dellutri <ddelQQQlutr@panQQQix.com> (lose the Q's)
- Previous message: The_Collapser: "Re: Openssh for Windows: Key Auth and Pass"
- In reply to: thablobulus: "embedding sshd into a server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
