Joshua Feather wrote: > I'm curious if anyone knows of a way to configure openssh on a > Solaris(8/9) and Linux system (RH4) to use port 22 for ssh and 522 for > sftp usikng only one installed client rather that installing seperate > instances to utilize seperate ports...any help woul dbe greatly > appreciated!
There are a few 'solutions' but these will require that you have separate sshd instances and id's for both sftp and ssh for every user. ie: as someone else pinted out, use two separate config files conf22 and conf522. Essentially you have to use separate userids on these systems so that userA-ssh is 'locked' inside a restricted shell (eg:rbash) such that they cannot use sftp or other file copying utilities (this is not trivial... esp if they need access to editors, etc). The other account (userA-sftp) uses either rssh or scponly as the 'shell' and so cannot login interactively using that account. Finally add user*-ssh to group sshAllow and user*-sftp to sftpAllow, then use Deny/AllowGroup in the relevant sshd_config to prevent users gaining access to the other sshd (they are the same process after all and without this step they can still login using the other process and matching id...) eg: userA-ssh member of sshAllow userA-sftp member of sftpAllow in sshd_config22: DenyGroups sftpAllow AllowGroups sshAllow and in sshd_config522: DenyGroups sshAllow AllowGroups sftpAllow But, as I said, it's not bulletproof (can be v difficult to lock users down depending on what other access they require to the system), requires multiple userids/person (never good for auditing), in some cases users may need to remember multiple pwds or other tokens*, auditing requires extra steps to 'normalise' the user access, etc etc. *That said, the users could use the same keypair for both accounts, and so login to either system with the one identity file...policies permitting. I haven't checked the order in which sshd checks the config - for users that have both groups configured, does openssh process the deny first, or the allow, or in the order specified in the file? Maybe just use the Deny option to forbid users in that category from using the wrong sshd instance... ie:test whatever you implement to ensure it does what you'd expect... rssh: http://www.pizzashack.org/rssh/ scponly: http://www.sublimation.org/scponly/ -- g'luck brian
