HPE Community
Operating System - HP-UX
1838219 Members
4106 Online
110125 Solutions
New Discussion

Re: open tunnel for sftp but NOT for ssh?

 
Steve Post
Trusted Contributor

‎08-28-2007 02:06 AM

‎08-28-2007 02:06 AM

open tunnel for sftp but NOT for ssh?

If it open up the firewall for sftp, do I also get stuck opening it up for ssh and scp? Is there a way where I can open up a tunnel to the outside for sftp only, and keep ssh working for inside boxes?

Let me say what I am looking for via example:
outside guy can sftp in as a user to a chrooted account.
outside guy cannot ssh into box no matter how valid the userid;password is.

INSIDE guy can ssh and sftp into the box.

Is there a way to do this?

0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎08-28-2007 02:18 AM

‎08-28-2007 02:18 AM

Re: open tunnel for sftp but NOT for ssh?

Shalom,

openssh operates all services on port 22 by default.

That doesn't mean you can't operate them on a different port.

There is a rich feature set in the sshd_config and ssh_config files.

We (almost) met your guidelines as follows:

< #PermitRootLogin no
< PermitRootLogin without-password
---
> #PermitRootLogin yes
43c42
< PubkeyAuthentication yes
---
> #PubkeyAuthentication yes
108d106

Wet set up the root user to only permit public key based access. This permits the cluster nodes to send files back and forth and certain systems to jump on and administer.

If you look through the two configuration files you can probably get this done.

I don't know of any firewall that can discren between ssh/scp and sftp. Maybe checkpoint can. That could be worth looking into.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Heironimus
Honored Contributor

‎08-28-2007 02:58 AM

‎08-28-2007 02:58 AM

Re: open tunnel for sftp but NOT for ssh?

scp and sftp both run through ssh using the same mechanisms as remote commands, so it's all opaque to the network and any restrictions have to be enforced on the server. There are custom shells available to do what you're looking for. rssh and scponly seem to be the two most common.
0 Kudos
Reply
Steve Post
Trusted Contributor

‎08-28-2007 03:33 AM

‎08-28-2007 03:33 AM

Re: open tunnel for sftp but NOT for ssh?

is there a way to use something like /var/adm/inetd.sec?

I want to disable all but sftp access from the outside.
I would put this in inetd.sec but it won't work because ssh, sftp and scp are, as you guys say, using the same port.

ssh allow
scp allow

Even though I can ssh into the box from an inside address, I don't want this ability from an outside address. Having a specific shell assigned by userid is nice. I guess I want a shell assigned by userid AND calling ip address?


hmmm. I'm thinking........
Perhaps I should have two ssh's running. The outside ssh is normal, and only allows 2 specified, chrooted users.

The inside ssh is on a different port, and allows any user, but only from inside addresses.

Let me follow through my crazy idea.....
I modify /etc/services to add new sshinside service at port 12345. I update inetd.sec to only allow sshinside from inside addresses.

I update sshd_config on the standard, outside ssh to only allow my two chrooted users via "AllowUsers" line.

Then I can ssh into the box from the inside only by using port 12345 and my ssh-inside. And I can ssh into the box from the outside, but only as one of my two chrooted users.

What to you think? Is this feasable?
0 Kudos
Reply
Heironimus
Honored Contributor

‎08-28-2007 06:05 AM

‎08-28-2007 06:05 AM

Re: open tunnel for sftp but NOT for ssh?

I think the general idea should work. I wouldn't worry about letting internal people get to the external accounts, though. You could also bind the different sshd's to different IPs instead of different ports, if that would make your setup easier.
0 Kudos
Reply
Steve Post
Trusted Contributor

‎08-28-2007 06:14 AM

‎08-28-2007 06:14 AM

Re: open tunnel for sftp but NOT for ssh?

now that's a cool idea. It looks like "ListenAddress" in sshd_config will let me specify the address and port I listen for like apache does. So I could keep it port 22, and have a different ip. This box already has multiple ip's set up.
I'll have to start running tests with these ideas.
Thanks.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.