hey friends,
I am using openssh-3.9 on FC3.Is it possible to have different ssh settings for each user means if there is a user john and he can only connect through the port 3309 and if there is a user mary she can only connect through the port 4067 ?
Rest of the users should be able to connect through the default port that is 5009.
Moreover is it possible to restrict some users to login only from few machines for example I want to restrict user tom that he can only login from one machine ?
Please let me know if you need any further inputs.
Thanks & Regards
Ankush Grover
On Wed, 2006-05-31 at 11:54 +0530, Ankush Grover wrote:
hey friends,
I am using openssh-3.9 on FC3.Is it possible to have different ssh settings for each user means if there is a user john and he can only connect through the port 3309 and if there is a user mary she can only connect through the port 4067 ?
Rest of the users should be able to connect through the default port that is 5009.
Hi Ankush,
I believe you can do this by running a different sshd for each unique port (using ListenAddress, Port) that you wish to allow ssh connections to, then use the "AllowUsers" configuration property for each respective sshd to limit the logins on each port to given users. You will need to modify or duplicate the sshd service script to cater for this, and have multiple sshd_config files, one for each unique port.
Moreover is it possible to restrict some users to login only from few machines for example I want to restrict user tom that he can only login from one machine ?
Have a look at /etc/hosts.allow and /etc/hosts.deny for this one. Use of these files will affect all connections, not just those via ssh.
Cheers, Ben
Please let me know if you need any further inputs.
Thanks & Regards
Ankush Grover
Hi Ankush,
I believe you can do this by running a different sshd for each unique port (using ListenAddress, Port) that you wish to allow ssh connections to, then use the "AllowUsers" configuration property for each respective sshd to limit the logins on each port to given users. You will need to modify or duplicate the sshd service script to cater for this, and have multiple sshd_config files, one for each unique port.
hey Mr. Ben,
I tried to do the same as you told me. I created another service sshd1 under /etc/init.d I changed some settings for sshd1 service like CONFIG_FILE=/etc/ssh/sshd_config1 PID_FILE=/var/run/sshd1.pid SSHD=/usr/sbin/sshd1 [ -f /etc/sysconfig/sshd1 ] && . /etc/sysconfig/sshd1 /var/lock/subsys/sshd1
the settings in /etc/ssh/sshd_config1 file
Port 3455 Listen Address 192.168.1.45 PermitRootLogin no AllowUsers raju
the settings under /etc/ssh/sshd_config are default except I change the listen address to 192.168.1.45 and disabled the connection for IP6.
I restarted the sshd & sshd1 service but I am got the below error and I am not able to ssh on the port 3455 whereas on port 22 I can ssh. I have also copied /usr/sbin/sshd to /usr/sbin/sshd1 and had also added this in the /etc/init.d/sshd1 file
sshd1[4238]: error: Bind to port 22 on 192.168.1.45 failed: Address already in use. May 31 17:32:17 cluster1 sshd1[4238]: fatal: Cannot bind any address.
sshd1 is listenting on port 3455 not on 22.
I have also added this line in /etc/modprobe.conf to disable ip6
alias net-pf-10 off
How to get rid of this problem ?
Thanks & Regards
Ankush Grover
On Wednesday, May 31st 2006 at 11:54 +0530, quoth Ankush Grover:
=>I am using openssh-3.9 on FC3.Is it possible to have different ssh =>settings for each user means if there is a user john and he can only =>connect through the port 3309 and if there is a user mary she can =>only connect through the port 4067 ? => =>Rest of the users should be able to connect through the default port =>that is 5009.
You may use multiple lines in your sshd config file
ListenAddress 3309 ListenAddress 4067 ListenAddress 5009
Why in the Wide World of Sports would you want to do such a thing?
=>Moreover is it possible to restrict some users to login only from few =>machines for example I want to restrict user tom that he can only =>login from one machine ?
To restrict a user to an address, use tcpwrappers.
On 5/31/06, Steven W. Orr steveo@syslang.net wrote:
On Wednesday, May 31st 2006 at 11:54 +0530, quoth Ankush Grover:
=>I am using openssh-3.9 on FC3.Is it possible to have different ssh =>settings for each user means if there is a user john and he can only =>connect through the port 3309 and if there is a user mary she can =>only connect through the port 4067 ? => =>Rest of the users should be able to connect through the default port =>that is 5009.
You may use multiple lines in your sshd config file
ListenAddress 3309 ListenAddress 4067 ListenAddress 5009
It is a good choice when you want similar settings for all the users. What I want is separate user settings per port ?
Why in the Wide World of Sports would you want to do such a thing?
Thanks for the reply. We have some partners and clients which logins through ssh means sftp. Those accounts are chrooted and through sftp we give them updates for our softwares means patches.
As the FC3 is accessible through Internet we want to keep our clients & partners separate even having different ssh settings for them.
Thanks & Regards
Ankush Grover
On Wed, 2006-05-31 at 22:09 +0530, Ankush Grover wrote:
On 5/31/06, Steven W. Orr steveo@syslang.net wrote:
On Wednesday, May 31st 2006 at 11:54 +0530, quoth Ankush Grover:
=>I am using openssh-3.9 on FC3.Is it possible to have different ssh =>settings for each user means if there is a user john and he can only =>connect through the port 3309 and if there is a user mary she can =>only connect through the port 4067 ? => =>Rest of the users should be able to connect through the default port =>that is 5009.
You may use multiple lines in your sshd config file
ListenAddress 3309 ListenAddress 4067 ListenAddress 5009
It is a good choice when you want similar settings for all the users. What I want is separate user settings per port ?
The problem is that it doesn't know the user until it has already answered on a port... You should be able to run multiple instances of sshd, each listening on different ports and using a different configuration file, though.
Why in the Wide World of Sports would you want to do such a thing?
Thanks for the reply. We have some partners and clients which logins through ssh means sftp. Those accounts are chrooted and through sftp we give them updates for our softwares means patches.
If they only download, why not use https instead? That would be easier for both of you.
As the FC3 is accessible through Internet we want to keep our clients & partners separate even having different ssh settings for them.
FC3 is getting kind of old...
-
Ankush Grover -
Ben Stringer -
Les Mikesell -
Steven W. Orr