+ added subject On Mon, Jan 30, 2017 at 11:32 PM, Sudarshan Soma <sudarshan12s at gmail.com> wrote:> Hi, > I am trying to give access to sshd port 22 to connect to different port > 1023 by differentiating with special user, customuser. Following is how i > tried, but it doesnt work, please suggest. > > outside, user issues command > ssh customuser at ip, it fails > > > inside sshd_config, i wrote the following: > > > Match user customuser > ForceCommand . /etc/myscript > > inside myscript, I do the following: > read -p "Username: " RUSER > ssh $RUSER at 127.0.0.1 -p 1023 > > > > with this setting, i find these: > > If i run sshd in debug mode, password is asked in the server window, > prints go to client window: > > server terminal: > sshd -d -f /etc/ssh/sshd_config -h /etc/ssh/ssh_key > > Starting session: forced-command (config) '. /etc/myscript' on pts/3 for > customuser from 10.102.12.12 port 41622 > admin at 127.0.0.1's password: > > > client terminal: > ssh customuser at 10.220.167.18 > Username: admin > > > If i run sshd in non interactive mode: > it doesnt ask for password at all > > server logs: > > Jan 30 17:22:18 Linux auth.info sshd[5229]: WARNING: > /usr/local/etc/moduli does not exist, using fixed modulus > Jan 30 17:22:18 Linux auth.err sshd[5229]: error: Could not get shadow > information for customuser > Jan 30 17:22:18 Linux auth.info sshd[5229]: Accepted none for customuser > from 10.220.82.17 port 41645 ssh2 > Jan 30 17:22:18 Linux auth.info sshd[5230]: lastlog_openseek: Couldn't > stat /var/log/lastlog: No such file or directory > Jan 30 17:22:18 Linux auth.info sshd[5230]: lastlog_openseek: Couldn't > stat /var/log/lastlog: No such file or directory > > > client logs: > > ssh customuser at 10.220.167.184 > Username: admin > Permission denied, please try again. > Permission denied, please try again. > Permission denied (publickey,password). > Connection to 10.220.167.184 closed. >
On Tue, Jan 31, 2017 at 5:03 AM, Sudarshan Soma <sudarshan12s at gmail.com> wrote:> + added subject > > On Mon, Jan 30, 2017 at 11:32 PM, Sudarshan Soma <sudarshan12s at gmail.com> > wrote:[...]>> I am trying to give access to sshd port 22 to connect to different port >> 1023 by differentiating with special user, customuser. Following is how i >> tried, but it doesnt work, please suggest.What is the objective of this exercise?>> If i run sshd in debug mode, password is asked in the server window, >> prints go to client window:I think what's happening is that ssh will open the process' controlling terminal to ask for a password, and that happens to be sshd's when run in debug mode and not present when run normally. Try forcing ssh to request a tty ("ssh -tt ..."). If that doesn't work please post the complete server and client debug logs (using "/path/to/sshd -o loglevel=debug3 -e" should get you the debug logs for the doesn't-ask case). -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Thanks Darren, the intention to do this : allow users to access my own shell/CLI(including authentication) on port 22. their firewall settings doesnt allow anything other than port 22, so I would internally redirect to port 1023 when customuser is provided. I will try enabling logs, thanks. On Tue, Jan 31, 2017 at 5:10 AM, Darren Tucker <dtucker at zip.com.au> wrote:> On Tue, Jan 31, 2017 at 5:03 AM, Sudarshan Soma <sudarshan12s at gmail.com> > wrote: > > + added subject > > > > On Mon, Jan 30, 2017 at 11:32 PM, Sudarshan Soma <sudarshan12s at gmail.com > > > > wrote: > [...] > >> I am trying to give access to sshd port 22 to connect to different port > >> 1023 by differentiating with special user, customuser. Following is how > i > >> tried, but it doesnt work, please suggest. > > What is the objective of this exercise? > > >> If i run sshd in debug mode, password is asked in the server window, > >> prints go to client window: > > I think what's happening is that ssh will open the process' > controlling terminal to ask for a password, and that happens to be > sshd's when run in debug mode and not present when run normally. Try > forcing ssh to request a tty ("ssh -tt ..."). > > If that doesn't work please post the complete server and client debug > logs (using "/path/to/sshd -o loglevel=debug3 -e" should get you the > debug logs for the doesn't-ask case). > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. >