LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-08-2008, 07:24 PM   #1
callagga
Member
 
Registered: Jan 2008
Posts: 36

Rep: Reputation: 15
Question different authentication on different ports - how can I achieve this???


Hi,

I'm trying to work out how I can configure sshd (on Redhat linux) so that I can have different authentication on different ports. For example I'm trying to achieve the following:
* Port X - use PubkeyAuthentication (no ChallengeResponseAuthentication) - this port is open via the firewall (external access)
* Port Y - use only ChallengeResponseAuthentication - use only internally (i.e. port is blocked at firewall)

Q1 - Is there a way to achieve this within one sshd process / one configuration file? If so how would the config look?

Q2 - If not how could I achieve this? Run two separate sshd's? If yes can you give me a couple of pointers re how to do this please? (I'm on redhat linux) Also on this topic I'm wondering how the "service" command would fit in. Currently I can use "service sshd restart" to restart my existing sshd process. If I were to be running two I'm wondering what would need to be done so I could use the "service" command on each of them separately?

Thanks in advance
Greg
 
Old 07-08-2008, 10:42 PM   #2
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 61
You can run as many sshd's as you want, each with their own configuration.

man sshd

will tell you how to specify a config file. You can have multiple config files. You will also find a -p option, or you can specify the listen address in sshd_config. Startup the second service with the first if you want by modifying the sshd startup script, or make a copy called sshd2 or something like that. Make the appropriate changes, and make the symlinks in the rc.d directories just like you see for sshd.
 
Old 07-09-2008, 12:53 AM   #3
callagga
Member
 
Registered: Jan 2008
Posts: 36

Original Poster
Rep: Reputation: 15
thanks - I see how you can specify the host file

any pointers re how to arrange so that both instances can be managed as a linux service, i.e. using "service sshd<num>"?
 
Old 07-09-2008, 01:08 AM   #4
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 61
Just copy /etc/init.d/sshd to /etc/init.d/sshd2 and you'll be able to user service. Service is just a script in /sbin that essentially does this for you:

/etc/init.d/sshd cmd

where cmd is start, stop, restart, etc.
 
Old 07-09-2008, 01:40 AM   #5
callagga
Member
 
Registered: Jan 2008
Posts: 36

Original Poster
Rep: Reputation: 15
thanks - and I guess the fact it's in that directory implies it will be autostarted after a reboot?

PS I assume I'll have to modify the new sshd2 file to replace "sshd" with "sshd2"?

Last edited by callagga; 07-09-2008 at 01:41 AM.
 
Old 07-09-2008, 02:22 AM   #6
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 61
The auto-starting will occur IF you have the proper symbolic or hard links. See how sshd is current handled in each of the various /etc/init.d/rc.*/ directories. You will see S##sshd and K##sshd links; These are for Start and Kill. They are just links to the sshd script in /etc/init.d/rc.d. The ## are numbers, which indicate the relative order that the scripts startup. Just use the same numbers that are there for the *sshd script.

Yes, replace anything inside the sshd2 script that is specific to sshd. There shouldn't be much to it, as it should be parametrized from its own file name.
 
Old 07-09-2008, 03:01 AM   #7
callagga
Member
 
Registered: Jan 2008
Posts: 36

Original Poster
Rep: Reputation: 15
[delete - oops they are sym links]

Last edited by callagga; 07-09-2008 at 03:08 AM. Reason: [delete - oops they are sym links]
 
Old 07-09-2008, 03:19 AM   #8
callagga
Member
 
Registered: Jan 2008
Posts: 36

Original Poster
Rep: Reputation: 15
any ideas whether I would need to duplicate the following?

(a) /var/empty/sshd2/etc directory?
(b) /var/lock/subsys/sshd2 ?

Code:
start()
{
        # Create keys if necessary
        do_rsa1_keygen
        do_rsa_keygen
        do_dsa_keygen

        cp -af /etc/localtime /var/empty/sshd/etc

        echo -n $"Starting $prog:"
        initlog -c "$SSHD $OPTIONS" && success || failure
        RETVAL=$?
        [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
        echo
}
 
Old 07-09-2008, 03:53 AM   #9
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 61
(a) is for chroot; just duplicate
(b) is lock file; just lets the startup scripts know it is already started. Change the "sshd" value in the end of the start() function to "sshd2".
 
Old 07-09-2008, 07:34 AM   #10
callagga
Member
 
Registered: Jan 2008
Posts: 36

Original Poster
Rep: Reputation: 15
first past attempt but some probs

getting closer, seem to be able to "service httpd_local start" ok, however I have issues with stopping and status. Note the "FAILED" and the "sshd_local dead but subsys locked". I'm wondering if I've got a bug in the stop script? Extract below & full file attached.

Note: As well as duplicating some directories for this script, I also copied the actual /usr/sbin/sshd to /usr/sbin/sshd_local as I was guessing (when I had one issue) perhaps this is what was required to allow the script to discover which process to stop, i.e. it seems to use $SSHD when doing the killproc no?

Code:
stop()
{
        echo -n $"Stopping $prog:"
        if [ -n "`pidfileofproc $SSHD`" ] ; then
            killproc $SSHD
        else
            failure $"Stopping $prog"
        fi
        RETVAL=$?
        [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd_local
        echo
}

Console output
Code:
[root@home init.d]# ps -ax | grep ssh
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
17309 ?        Ss     0:00 /usr/sbin/sshd
18727 ?        Ss     0:00 sshd: root@pts/1
19164 ?        Ss     0:00 sshd: root@pts/2
19205 pts/1    R+     0:00 grep ssh
[root@home init.d]#
[root@home init.d]# service sshd status
sshd (pid 19164 18727 17309) is running...
[root@home init.d]# service sshd stop
Stopping sshd:                                             [FAILED]
[root@home init.d]# service sshd status
sshd (pid 19164 18727 17309) is running...
[root@home init.d]# service sshd start
Starting sshd:                                             [  OK  ]
[root@home init.d]# service sshd status
sshd (pid 19164 18727 17309) is running...
[root@home init.d]#
[root@home init.d]#
[root@home init.d]#
[root@home init.d]# service sshd_local status
sshd_local dead but subsys locked
[root@home init.d]# service sshd_local stop
Stopping sshd_local:                                       [FAILED]
[root@home init.d]# service sshd_local start
Starting sshd_local:                                       [  OK  ]
[root@home init.d]# ps -ax | grep ssh
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
17309 ?        Ss     0:00 /usr/sbin/sshd
18727 ?        Ss     0:00 sshd: root@pts/1
19164 ?        Ss     0:00 sshd: root@pts/2
19433 ?        Ss     0:00 /usr/sbin/sshd_local -f /etc/ssh/sshd_config_local
19437 pts/1    R+     0:00 grep ssh
[root@home init.d]#
[root@home init.d]# service sshd_local stop
Stopping sshd_local:                                       [FAILED]
[root@home init.d]# ps -ax | grep ssh
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
17309 ?        Ss     0:00 /usr/sbin/sshd
18727 ?        Ss     0:00 sshd: root@pts/1
19164 ?        Ss     0:00 sshd: root@pts/2
19433 ?        Ss     0:00 /usr/sbin/sshd_local -f /etc/ssh/sshd_config_local
19447 pts/1    R+     0:00 grep ssh
Full File
Code:
[root@home init.d]# cat sshd_local
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid

# source function library
. /etc/rc.d/init.d/functions

# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd

RETVAL=0
prog="sshd_local"

# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd_local
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
PID_FILE=/var/run/sshd_local.pid

do_rsa1_keygen() {
        if [ ! -s $RSA1_KEY ]; then
                echo -n $"Generating SSH1 RSA host key: "
                if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
                        chmod 600 $RSA1_KEY
                        chmod 644 $RSA1_KEY.pub
                        if [ -x /sbin/restorecon ]; then
                            /sbin/restorecon $RSA1_KEY.pub
                        fi
                        success $"RSA1 key generation"
                        echo
                else
                        failure $"RSA1 key generation"
                        echo
                        exit 1
                fi
        fi
}

do_rsa_keygen() {
        if [ ! -s $RSA_KEY ]; then
                echo -n $"Generating SSH2 RSA host key: "
                if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
                        chmod 600 $RSA_KEY
                        chmod 644 $RSA_KEY.pub
                        if [ -x /sbin/restorecon ]; then
                            /sbin/restorecon $RSA_KEY.pub
                        fi
                        success $"RSA key generation"
                        echo
                else
                        failure $"RSA key generation"
                        echo
                        exit 1
                fi
        fi
}

do_dsa_keygen() {
        if [ ! -s $DSA_KEY ]; then
                echo -n $"Generating SSH2 DSA host key: "
                if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
                        chmod 600 $DSA_KEY
                        chmod 644 $DSA_KEY.pub
                        if [ -x /sbin/restorecon ]; then
                            /sbin/restorecon $DSA_KEY.pub
                        fi
                        success $"DSA key generation"
                        echo
                else
                        failure $"DSA key generation"
                        echo
                        exit 1
                fi
        fi
}

do_restart_sanity_check()
{
        $SSHD -t -f /etc/ssh/sshd_config_local
        RETVAL=$?
        if [ ! "$RETVAL" = 0 ]; then
                failure $"Configuration file or keys are invalid"
                echo
        fi
}

start()
{
        # Create keys if necessary
        do_rsa1_keygen
        do_rsa_keygen
        do_dsa_keygen

        cp -af /etc/localtime /var/empty/sshd_local/etc

        echo -n $"Starting $prog:"
        initlog -c "$SSHD $OPTIONS -f /etc/ssh/sshd_config_local" && success || failure
        RETVAL=$?
        [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd_local
        echo
}

stop()
{
        echo -n $"Stopping $prog:"
        if [ -n "`pidfileofproc $SSHD`" ] ; then
            killproc $SSHD
        else
            failure $"Stopping $prog"
        fi
        RETVAL=$?
        [ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd_local
        echo
}

reload()
{
        echo -n $"Reloading $prog:"
        if [ -n "`pidfileofproc $SSHD`" ] ; then
            killproc $SSHD -HUP
        else
            failure $"Reloading $prog"
        fi
        RETVAL=$?
        echo
}

case "$1" in
        start)
                start
                ;;
        stop)
                stop
                ;;
        restart)
                stop
                start
                ;;
        reload)
                reload
                ;;
        condrestart)
                if [ -f /var/lock/subsys/sshd_local ] ; then
                        do_restart_sanity_check
                        if [ "$RETVAL" = 0 ] ; then
                                stop
                                # avoid race
                                sleep 3
                                start
                        fi
                fi
                ;;
        status)
                status $SSHD
                RETVAL=$?
                ;;
        *)
                echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
                RETVAL=1
esac
exit $RETVAL

Last edited by callagga; 07-09-2008 at 07:37 AM.
 
Old 07-09-2008, 01:36 PM   #11
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 61
There is no need to make a copy of sshd itself - you can run a program as many times as you want by the same name. If other scripts or whatnot use the name of a process, just make a symlink or hard link to the program:

ln sshd sshd_local

I don't immediately see what is causing the /etc/init.d/rc.d/sshd_local script to complain. But first things first. Are able to start, stop, and use sshd_local from the command line, using the same command line arguments that the script would provide? Getting it to work manually first is important. Then, focus on fixing the script.

RedHat/Fedora start/stop scripts are not terribly accurate or robust in terms of the PASS/FAILED status.
 
Old 07-09-2008, 05:30 PM   #12
callagga
Member
 
Registered: Jan 2008
Posts: 36

Original Poster
Rep: Reputation: 15
no supported authentication mechanism

Hi MrC,

Good idea re trying directly first. I am actually getting a 'no authentication mechanism' error when using the new sshd_local. The only thing I have done in the config file different is:
a) change the port number
b) set ChallengeResponseAuthentication yes (as I wasn't planning to use the public certificate approach for this internal sshd)
c) comment out the following as I'm not using certificates
# PubkeyAuthentication yes
# AuthorizedKeysFile .ssh/authorized_keys

Q1 - Is there some step I need to take perhaps to initiate the new sshd_local such as create host certificates or anything? I'm not sure why where I enter my username/password current authentication isn't working. When I've made the same changes previously to my primary sshd configuration this always seemed to work re swapping from certificate based authentication to password based authentication.

Q2 - Any way to add more logging around why exactly authentication is not working.


sshd_config_local (not working)

Code:
Port 22
SyslogFacility AUTHPRIV
PasswordAuthentication no
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server
sshd_config (working)
Code:
Port 5443
SyslogFacility AUTHPRIV
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server
Protocol 2

thanks again
Greg
 
Old 07-09-2008, 07:10 PM   #13
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 61
A1) You should be able to share the certificates. I recall your /etc/init.d/sshd_local script used the same locatation as the originals. So no need to customize those.

A2) Launch sshd_locale with -D and with -d for debugging, add up to 2 more d's for more verbose debugging. Pay special attention to the paths, etc. to be sure they are what you expect. And start, on another terminal, ssh with one or more -v options for verbosity there too. You should be able to see sufficient diags. to determine what is going on.

You'll have to look at your login.conf file to see what requirements exist when using ChallengeResponseAuthentication. This may be the same as keyboard interactive, and may be implemented by PAM. Therefore, the file /etc/pam.d/sshd would control logins for your exising sshd; you may have to link /etc/pam.d/sshd to /etc/pam.d/sshd_local also.
 
Old 07-09-2008, 07:50 PM   #14
callagga
Member
 
Registered: Jan 2008
Posts: 36

Original Poster
Rep: Reputation: 15
Thanks MrC

It seems (based on initial tests) to be working! I created the link "ln sshd sshd_local". I did a find across "httpd" and I think it's duplicated now:

Code:
[root@home /]# find / -name sshd*
/etc/rc.d/init.d/sshd
/etc/rc.d/init.d/sshd_local

/etc/pam.d/sshd
/etc/pam.d/sshd_local

/etc/ssh/sshd_config_local
/etc/ssh/sshd_config

/usr/sbin/sshd
/usr/sbin/sshd_local

/var/empty/sshd
/var/empty/sshd_local

/var/lock/subsys/sshd
/var/lock/subsys/sshd_local
Hopefully I won't have to post again on this thread. Thanks heaps for all the help MrC

Regards
Greg
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how can i achieve my goals? theoldnyx Linux - General 2 08-22-2007 11:00 AM
How to achieve best possible sound quality? MasterOfTheWind Linux - Software 4 08-11-2006 09:39 AM
DISCUSSION: Forward ports via an SSH tunnel with auto reconnect (using key pair authentication) merize147 LinuxAnswers Discussion 0 07-24-2006 05:31 PM
how to achieve this in VSFTPD? g_srinivas Linux - Newbie 1 02-18-2006 07:09 PM
Can I achieve this? Xiangbuilder Linux - Newbie 20 10-25-2003 09:11 AM


All times are GMT -5. The time now is 11:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration