Hi,
I am trying to give access to sshd port 22 to connect to different port
1023 by differentiating with special user, customuser. Following is how i
tried, but it doesnt work, please suggest.
outside, user issues command
ssh customuser at ip, it fails
inside sshd_config, i wrote the following:
Match user customuser
ForceCommand . /etc/myscript
inside myscript, I do the following:
read -p "Username: " RUSER
ssh $RUSER at 127.0.0.1 -p 1023
with this setting, i find these:
If i run sshd in debug mode, password is asked in the server window, prints
go to client window:
server terminal:
sshd -d -f /etc/ssh/sshd_config -h /etc/ssh/ssh_key
Starting session: forced-command (config) '. /etc/myscript' on pts/3 for
customuser from 10.102.12.12 port 41622
admin at 127.0.0.1's password:
client terminal:
ssh customuser at 10.220.167.18
Username: admin
If i run sshd in non interactive mode:
it doesnt ask for password at all
server logs:
Jan 30 17:22:18 Linux auth.info sshd[5229]: WARNING: /usr/local/etc/moduli
does not exist, using fixed modulus
Jan 30 17:22:18 Linux auth.err sshd[5229]: error: Could not get shadow
information for customuser
Jan 30 17:22:18 Linux auth.info sshd[5229]: Accepted none for customuser
from 10.220.82.17 port 41645 ssh2
Jan 30 17:22:18 Linux auth.info sshd[5230]: lastlog_openseek: Couldn't stat
/var/log/lastlog: No such file or directory
Jan 30 17:22:18 Linux auth.info sshd[5230]: lastlog_openseek: Couldn't stat
/var/log/lastlog: No such file or directory
client logs:
ssh customuser at 10.220.167.184
Username: admin
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).
Connection to 10.220.167.184 closed.
On Mon, Jan 30, 2017 at 1:02 PM, Sudarshan Soma <sudarshan12s at gmail.com> wrote:> Hi, > I am trying to give access to sshd port 22 to connect to different port > 1023 by differentiating with special user, customuser. Following is how i > tried, but it doesnt work, please suggest.The easiest way to do this is, typically, to run a *separate* sshd on port 1023 with the characterists set to allow *only* that alternative user access. Take a look at setting up another daemon with another "sshd_config" file to do this. That way, you can leave your internal default SSH the heck alone and block it at your firewalls as appropriate.> > outside, user issues command > ssh customuser at ip, it fails > > > inside sshd_config, i wrote the following: > > > Match user customuser > ForceCommand . /etc/myscript > > inside myscript, I do the following: > read -p "Username: " RUSER > ssh $RUSER at 127.0.0.1 -p 1023 > > > > with this setting, i find these: > > If i run sshd in debug mode, password is asked in the server window, prints > go to client window: > > server terminal: > sshd -d -f /etc/ssh/sshd_config -h /etc/ssh/ssh_key > > Starting session: forced-command (config) '. /etc/myscript' on pts/3 for > customuser from 10.102.12.12 port 41622 > admin at 127.0.0.1's password: > > > client terminal: > ssh customuser at 10.220.167.18 > Username: admin > > > If i run sshd in non interactive mode: > it doesnt ask for password at all > > server logs: > > Jan 30 17:22:18 Linux auth.info sshd[5229]: WARNING: /usr/local/etc/moduli > does not exist, using fixed modulus > Jan 30 17:22:18 Linux auth.err sshd[5229]: error: Could not get shadow > information for customuser > Jan 30 17:22:18 Linux auth.info sshd[5229]: Accepted none for customuser > from 10.220.82.17 port 41645 ssh2 > Jan 30 17:22:18 Linux auth.info sshd[5230]: lastlog_openseek: Couldn't stat > /var/log/lastlog: No such file or directory > Jan 30 17:22:18 Linux auth.info sshd[5230]: lastlog_openseek: Couldn't stat > /var/log/lastlog: No such file or directory > > > client logs: > > ssh customuser at 10.220.167.184 > Username: admin > Permission denied, please try again. > Permission denied, please try again. > Permission denied (publickey,password). > Connection to 10.220.167.184 closed. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Thanks for suggestion. the customer firewall settings doesnt allow access to 1023, hence i was doing it from inside. So external access to port 1023 is dropped, but from loopback(inside), it would be allowed. please share your thoughts/comments. On Tue, Jan 31, 2017 at 10:19 AM, Nico Kadel-Garcia <nkadel at gmail.com> wrote:> On Mon, Jan 30, 2017 at 1:02 PM, Sudarshan Soma <sudarshan12s at gmail.com> > wrote: > > Hi, > > I am trying to give access to sshd port 22 to connect to different port > > 1023 by differentiating with special user, customuser. Following is how i > > tried, but it doesnt work, please suggest. > > The easiest way to do this is, typically, to run a *separate* sshd on > port 1023 with the characterists set to allow *only* that alternative > user access. Take a look at setting up another daemon with another > "sshd_config" file to do this. That way, you can leave your internal > default SSH the heck alone and block it at your firewalls as > appropriate. > > > > > outside, user issues command > > ssh customuser at ip, it fails > > > > > > inside sshd_config, i wrote the following: > > > > > > Match user customuser > > ForceCommand . /etc/myscript > > > > inside myscript, I do the following: > > read -p "Username: " RUSER > > ssh $RUSER at 127.0.0.1 -p 1023 > > > > > > > > with this setting, i find these: > > > > If i run sshd in debug mode, password is asked in the server window, > prints > > go to client window: > > > > server terminal: > > sshd -d -f /etc/ssh/sshd_config -h /etc/ssh/ssh_key > > > > Starting session: forced-command (config) '. /etc/myscript' on pts/3 for > > customuser from 10.102.12.12 port 41622 > > admin at 127.0.0.1's password: > > > > > > client terminal: > > ssh customuser at 10.220.167.18 > > Username: admin > > > > > > If i run sshd in non interactive mode: > > it doesnt ask for password at all > > > > server logs: > > > > Jan 30 17:22:18 Linux auth.info sshd[5229]: WARNING: > /usr/local/etc/moduli > > does not exist, using fixed modulus > > Jan 30 17:22:18 Linux auth.err sshd[5229]: error: Could not get shadow > > information for customuser > > Jan 30 17:22:18 Linux auth.info sshd[5229]: Accepted none for customuser > > from 10.220.82.17 port 41645 ssh2 > > Jan 30 17:22:18 Linux auth.info sshd[5230]: lastlog_openseek: Couldn't > stat > > /var/log/lastlog: No such file or directory > > Jan 30 17:22:18 Linux auth.info sshd[5230]: lastlog_openseek: Couldn't > stat > > /var/log/lastlog: No such file or directory > > > > > > client logs: > > > > ssh customuser at 10.220.167.184 > > Username: admin > > Permission denied, please try again. > > Permission denied, please try again. > > Permission denied (publickey,password). > > Connection to 10.220.167.184 closed. > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >