SSH login on port 80
 

Hello,
I know it's a simple one but i just can't figure this out on my own.
How can i grat only one user the posibility to connect both on port 21 and 80 using ssh?
I have Ubuntu 6.06 server.
Thanks

You don't.

First off, port 80 is for websites, and 21 is for FTP. Port 22 is for ssh. You can go in the ssh.conf file and set it to listen at any port you choose, but using a port that is assigned can lead to wierd events. How does your ssh server deal with a request from a web browser? It should just refuse it, but you never know.

With a firewall, particularly a good hardware firewall, you could direct traffic from a given IP address (the one user) headed to port 80 or 21 to port 22 on the machine.

Also, what do you mean by only one user? Is there only one user on the machine, or do you only want one person of the several with accounts on it to have access to it?

Peace,
JimBass

Right you are my firend, just to clear things out, i know 80 if or http, i have a friend that can only access the 80 port from where he connects to the internet and i want him to be able to connect remotely on my machine (on port 22).
About that firewall, i have only my linux to use, how can i configure it rigt?

My deepest thanks!

Ok, here's how I would do it:

1) Edit /etc/ssh/sshd_config. Take the line that says and turn the 22 into 80. Then restart sshd.

2) That means you have ssh listening on 80, so if you run any webpages of of this box, you need to move them to some port other than 80.

3) For you, your friend, or anyone else to connect, You need to pass a port to the ssh client. That command should look like For the sake of security, make sure you don't allow root to ssh in (force users to log in as users then use su to elevate). Allowing root in directly is a major security hole, as all the script kiddies try to ssh as root. You may also want to use the authorized_keys file to allow access, and once you get the key from your friend, change the sshd_config again so that password authentication is disabled. That way nobody can get in except your friend. The way to set up such keys is covered on this page, close to the top with the title "How do I setup OpenSSH". Don't do it is root or backuppc as the article says, have your friend do it as the username he has on your machine. http://backuppc.sourceforge.net/faq/ssh.html

Have fun.

Peace,
JimBass

What I would do instead (assuming you know your friend's ip or domain name), is to put in some NAT rules using iptables (but only for that one ip). That way, the ssh server thinks it's communicating over port 22, and the client thinks it's communicating over port 80, and it only works for your friend.

Yes, Osor is correct, I didn't read carefully. If your friend can only come out on port 80, but you want him to connect at the standard port of 22, then you need to use a router or firewall to translate any request of his that comes in at port 80 to be forwarded to port 22. Without a hardware/software firewall or router to translate 80 (from his IP only) to 22, you won't get it to do what you want.

Doing what I suggested earlier would move SSH for everyone from 22 to 80, which is the inverse (converse?) of what you asked for. My bad.

Peace,
JimBass

I've got the point but i don't really know iptables that well :o Can you please guide me a little?!
Thanks!

Well, to start with, you need to have the required netfilter modules loaded (I don't know the names off the top of my head since mine are always in the kernel. I think just basic iptables.ko and iptables-nat.ko will do for this).

Then try (I haven't had time to thoroughly proofread, so if you have trouble, it's probably my fault):
The first rule will make your computer think that everything coming from your friend's IP with a TCP destination port of 80 should be interpreted as coming to TCP destination port 22 (using your IP). The second rule does the opposite (it makes everything destined to your friend with a source port of 22 actually leave your computer with a source port of 80).

This is a very basic implementation of what I was talking about. Of course, there are probably other, more elegant methods for this, so I await a post from someone more knowledgeable than I am about this stuff.