How can sshd be turned off and on via a browser on a suse distro?
I have been trying to figure out how to get sshd to start and stop via a browser. If I call rcsshd stop or rcsshd start from a cgi script it won't find the keys. In general I have the cgi script call sshd like so: if variable = variable then system rcsshd start else system rcsshd stop there's a little more to it than that (obviously), and I know it can work, I just can't get suse to cooperate. I've tried calling sshd from /etc/ssh, from /usr/sbin etc none of these methods will seem to work The reasons I wish to do this: 1. crackers won't see a port open when they scan. 2. the html page for controling sshd can be obscured. eg. http://somewhere/lkjsfkjsfljsdfh/123987kjghkjhdfgkh/lkjsdflkjsldfkjlskdjf.cg... 3. an .htaccess can be used to protect the page which the cracker would need to know the name and password for. 4. even if said cracker could find obscured page, and hack name and pass, they still would need to find the correct name and password to actually logon the sshd. 5. sshd seems to be starting the same trend as "wu_ftp" and such. Future idea: Doing the same for ftpd. Need to somehow write a fresh inet.d and HUP it somehow... ? Thanks phil
* phil wrote on Mon, Dec 03, 2001 at 10:23 -0800:
I have been trying to figure out how to get sshd to start and stop via a browser. If I call rcsshd stop or rcsshd start from a cgi script it won't find the keys.
Maybe the environment is wrong? Do you mean the host keys or what?
In general I have the cgi script call sshd like so:
if variable = variable then system rcsshd start else system rcsshd stop
I miss the sudo call. It's very hard to run apache as root, you would have to recompile with -DBIG_SECURITY_HOLE (BTW, very cool define name :)), so are you really sure that ssh gets even started?!
2. the html page for controling sshd can be obscured. eg. http://somewhere/lkjsfkjsfljsdfh/123987kjghkjhdfgkh/lkjsdflkjsldfkjlskdjf.cg...
I would suggest https: at least...
3. an .htaccess can be used to protect the page which the cracker would need to know the name and password for.
please note, taht your password would be transmitted in clear, which could end in a DoS (shutting down SSH), theoretically.
5. sshd seems to be starting the same trend as "wu_ftp" and such.
Hum, I don't think so, think most was caused by some myst around here...
Need to somehow write a fresh inet.d and HUP it somehow... ?
Well, maybe you can make a inetd.conf.on and inetd.conf.off and copy on of them to inetd.conf. But wasn't webmin able to start/stop services? Who knows... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Mon, Dec 03, 2001 at 10:23:31AM -0800, phil wrote:
I have been trying to figure out how to get sshd to start and stop via a browser. If I call rcsshd stop or rcsshd start from a cgi script it won't find the keys.
In general I have the cgi script call sshd like so:
if variable = variable then system rcsshd start else system rcsshd stop
there's a little more to it than that (obviously), and I know it can work, I just can't get suse to cooperate.
I've tried calling sshd from /etc/ssh, from /usr/sbin etc none of these methods will seem to work
Your web server is probably running in a chroot jail. It is also probably not running as root (and rcxxx scripts need to be run as root (or with sudo or similar) if you want them to work, you will probably need to remove the chroot from your webserver, which opens up more security holes. If you know the IP (or range of IPs) from which you are likely to want to use an SSH connection, then you can use the firewall script to restrict which machines are allowed to connect to sshd.
The reasons I wish to do this:
1. crackers won't see a port open when they scan. 2. the html page for controling sshd can be obscured. eg. http://somewhere/lkjsfkjsfljsdfh/123987kjghkjhdfgkh/lkjsdflkjsldfkjlskdjf.cg...
Password would be transferred over the 'net in plaintext unless you use https. [snip]
Future idea:
Doing the same for ftpd.
Unless you need the ftp protocol, I'd use scp instead.
Need to somehow write a fresh inet.d and HUP it somehow... ?
Perhaps iptables might be able to do something like opening up the ssh port after a particular sequence of ports are opened by the same IP address? Just a guess. Alternatively, I'd just stick with ssh and keep it up-to-date (which is what I do, although I don't need ssh access at the moment, so I've closed off the port until I get time to update sshd). HTH...
participants (3)
-
David Smith
-
phil
-
Steffen Dettmer