|
|
 Up |
|
|
  |
Author: ss11223ss11223 Date: Mar 19, 2008 06:01
I am running a system that has a NAT firewall on it with two IP
addresses, one on the outside
internet, and one on an internal network. This is a debian stable
system.
I want to have different login criteria for the internal network
(passwords allowed) and the
external network (key based only) and different allowd user lists for
each. I conjecture that the
only way to do this is to run two instances of sshd with different
config files. Is there anything
in ssh that would prevent me from doing this? Has anyone tried this
and have any pointers
or gotcha's to look out for.
Thanks,
Stuart
|
| |
|
| | 5 Comments |
|
|
Author: Dale DellutriDale Dellutri Date: Mar 19, 2008 07:23
On Wed, 19 Mar 2008 06:01:14 -0700 (PDT), ss11223@ gmail.com wrote: > I am running a system that has a NAT firewall on it with two IP
> addresses, one on the outside
> internet, and one on an internal network. This is a debian stable
> system.
> I want to have different login criteria for the internal network
> (passwords allowed) and the
> external network (key based only) and different allowd user lists for
> each. I conjecture that the
> only way to do this is to run two instances of sshd with different
> config files. Is there anything
> in ssh that would prevent me from doing this? Has anyone tried this
> and have any pointers
> or gotcha's to look out for.
I've run two separate sshd daemons. The instructions below,
which I've posted a few times before, pertain to RedHat-style
systems (RHEL, Fedora, CentOS, and so on). You'll have to
translate them for your debian system.
|
| Show full article (2.27Kb) |
|
| | no comments |
|
|
Author: ss11223ss11223 Date: Mar 20, 2008 07:49
>
> I've run two separate sshd daemons. The instructions below,
> which I've posted a few times before, pertain to RedHat-style
> systems (RHEL, Fedora, CentOS, and so on). You'll have to
> translate them for your debian system.
>
> =====
> I suggest the following procedure, which will give you two distinct
> ssh daemons, each with its own policies. These instructions pertain
> to Redhat-style systems, your file paths might vary.
>
> Let's assume you already have ssh set up to listen on one NIC
> with the policies you want. Then, without too much detail:
>
> 1. cp -p /etc/ssh/ssh_config /etc/ssh/otherssh_config
> Modify the new file as necessary for the policy you want.
>
> 2. cp -p /etc/ssh/sshd_config /etc/ssh/othersshd_config
> Modify the new file as necessary. Most importantly, look
> at ListenAddress and Port. ...
|
| Show full article (1.85Kb) |
| no comments |
|
|
Author: Dale DellutriDale Dellutri Date: Mar 20, 2008 08:05
On Thu, 20 Mar 2008 07:49:53 -0700 (PDT), ss11223 gmail.com> wrote:>>
>> I've run two separate sshd daemons. The instructions below,
>> which I've posted a few times before, pertain to RedHat-style
>> systems (RHEL, Fedora, CentOS, and so on). You'll have to
>> translate them for your debian system.
>>...[snipped]...
> Thanks. The procedure you gave is about what I thought to do except
> I didn't think that is was necessary to copy the executable to another
> name first.
First, some of the subroutines in the startup script depend on the
executable name being the same as the service name. Second, if you
do a "ps" or something else that shows statistics by process, it will
be possible to know which ssh daemon is which. Third, having a new
name gives a consistent naming scheme to all components of the new
(RedHat-style) service.
Of course, Debian may have different requirements.
--
Dale Dellutri panQQQix.com> (lose the Q's)
|
| |
| no comments |
|
|
Author: phil-news-nospamphil-news-nospam Date: Mar 28, 2008 12:09
On Thu, 20 Mar 2008 07:49:53 -0700 (PDT) ss11223 gmail.com> wrote:
| Thanks. The procedure you gave is about what I thought to do except
| I didn't think that is was necessary to copy the executable to another
| name first.
It's not exactly required, but it is a good idea. It keeps processes well
identified, for example. In many cases, the distinction is by inode, so
making a hardlink is not as good as a full copy.
--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN ( ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2008-03-28-1408@ ipal.net |
|------------------------------------/-------------------------------------|
|
| |
| no comments |
|
|
|
|
|
Author: Darren TuckerDarren Tucker Date: Apr 10, 2008 03:55
On 2008-03-19, ss11223@ gmail.com gmail.com> wrote:> I am running a system that has a NAT firewall on it with two IP
> addresses, one on the outside
> internet, and one on an internal network. This is a debian stable
> system.
>
> I want to have different login criteria for the internal network
> (passwords allowed) and the
> external network (key based only) and different allowd user lists for
> each. I conjecture that the
> only way to do this is to run two instances of sshd with different
> config files.
Depending on how modern the OpenSSH version is, you can use the Match
directive to do that in a single instance.
PasswordAuthentication no
# plus all other auth types such as ChallengeResponse and
# KbdInteractive...
Match Address 192.168.0.*
PasswordAuthentication yes
|
| Show full article (1.40Kb) |
| no comments |
|
RELATED THREADS |
|
|
|
|
