I'm putting this into documentation:-
Hardening server by adding 2 ssh sessions
The way LTSP works right now, makes the ssh handling vulnerable
to the outside world if you don't block access to port 22 from
the wan interface entirely. The solution is to create 2 instances
ssh, one serving the internal ip on port 22 and one serving the
wan interface on port 2222. If you only have one interface,
then both ssh sessions would serve the same interface, but one
would serve port 22, and the other 2222. This is how to set this
up:
sudo cp /etc/init.d/ssh /etc/init.d/ltsp-ssh
sudo cp /etc/default/ssh /etc/default/ltsp-ssh
sudo cp /etc/ssh/sshd_config /etc/ltsp/ltsp-sshd_config
sudo cp /var/run/sshd /var/run/ltsp-ssh
sudo sed -ie 's/Port 22/Port 2222/' /etc/ltsp/ltsp-sshd_config
If you are using 2 interfaces also do:>
sudo sed -ie 's/#ListenAddress 0.0.0.0/ListenAddress 192.168.0.1/'
/etc/ltsp/ltsp-sshd_config
sudo sed -ie 's/#ListenAddress 0.0.0.0/ListenAddress 10.0.0.42/'
/etc/ssh/sshd_config
Change 10.0.0.42 with the address of your wan facing interface.
You will also need to change the .pid of the new ssh instance:
sudo tee -a "PidFile /var/run/ltsp-sshd.pid"
/etc/ltsp/ltsp-sshd_config
sudo sed -ie 's/SSHD_OPTS=/SSHD_OPTS=\"-f
/etc/ltsp/ltsp-sshd_config\"' /etc/default/ltsp-ssh
sudo sed -ie 's/AllowUsers/AllowUsers
[EMAIL PROTECTED]/24/' /etc/ltsp/ltsp-sshd_config
This look about right?
On Wed, Oct 15, 2008 at 3:56 PM, Gavin McCullagh <[EMAIL PROTECTED]> wrote:
> Hi,
>
> On Wed, 15 Oct 2008, Oliver Grawert wrote:
>
>> > https://blueprints.launchpad.net/ltsp/+spec/dedicated-ltsp-sshd
>> >
>> > As it's low priority, it hasn't really happened though.
>> note that SSH_OVERRIDE_PORT in lts.conf is supported since a while
>> (pre-hardy even i think) so all thats left is a way to set up the server
>> side more easily
>
> Great. I hadn't realised that. If anyone's interested in getting the
> server side done, it's relatively straightforward, I had it working for a
> while. I'm happy to lend a hand or help write the config files. I did it
> on ubuntu before (the blueprint instructions are derived from what I did)
> but I amn't certain how easily one could do it for all platforms.
>
> The ltsp I work on is now not exposed to the net in the same way so it's
> not such an issue to me, but I still think it would be a good step for
> ltsp.
>
> Gavin
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _____________________________________________________________________
> Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
> https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
> For additional LTSP help, try #ltsp channel on irc.freenode.net
>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.freenode.net
