Please forgive me if this is in the wrong forum, it could potentially go in Security or Software...

My current setup is a router connected to my system, with port 443 on the router's public IP being forwarded to port 22 on my computer's internal IP, to allow me to remotely log in. Since my main user has some potential security breaches (like sudo), I have ssh instructed to only let me log in with a dummy user. Then I can su to my main user.

My problem is that screen won't allow me to run under my main user, because the tty I'm connected on belongs to the dummy user. This seems to be normal for screen, and not something that can be bypassed. But if I run screen as the dummy user, then su within screen, anybody who can get into the dummy user also gets into my main user, so there's hardly any point to having a dummy user!

What I think is the best solution right now is to have sshd listen on two separate ports. Connecting to one port will allow me to log in only as the dummy user (this will listen on a port that the router forwards to), connecting on the other port I can log in as my main user. sshd doesn't seem to allow that type of configuration within the same file, so I'd have to run two ssh daemons. I would greatly prefer to have this set up to run automatically (i.e. start within /etc/init.d/ssh), but there are a few things in there that I'm not sure about. Has anyone else set up something similar in Debian, that could give me some tips?

Alternatively, does anybody have any suggestions on how to remotely run screen as my main user without compromising security?

sounds to me like u are making things more complicated than they have to be.

for 1, port 443 is already reserved for https connections, why cant u just forward port 22 from the outside to port 22 on your box? Secondly, if you run screen and su to root and are worried about a potential break in, just log out as root in the screen session when you no longer need root privlidges. also, if you think you are having issues with sudo, get rid of sudo. also, use very secure passwords.

another thing you could do is only allow incomming ssh connections to the computer from certain hosts. for istance, if you only use 1 or 2 other computers to log in, disallow ssh from all other IPs except those. as my box stands, i can only ssh in from my home network and any computer where i work.

as far as running screen goes. you need to log into the box itself to get into the screen session. if someone can log into your box as your main user, having screen running when they do so is a moot point. unless there is some security hole in screen that i dont know about, screen is the least of your issues. the only problem i could see there is if you have screen running and inside one of the screens you are su'ed to root. then whoever logs in can do a screen -x and they are root.

basically what im saying is this: you can run sshd but i'd disallow root logins. and you can have screen running in the background as much as you want, but as a precaution just dont leave one of the screen sessions logged in as root if you are worried about the owner of the screen session having the password compromised and someone attaching and becomming root.

Since screen's complaint was that it couldn't read the tty, I added my user account to the tty group and then made the tty group-readable. Then it's a simple matter of su'ing to my user account and running screen.

This has the desired effect -- getting anywhere requires both the dummy account and user account passwords. If there's anything exploitable in my user account being a member of the tty group, I don't see it -- you'd have to already have that password to take advantage of it.

This bash function is what I now use to connect:

function goscreen
{
chmod g+r `tty` && su -c "screen -r -d" <user> && chmod g-r `tty`
}