ssh2 - control comunication port
Hi, I've got a SuSE 8.2 system running with a ssh-daemon listening on port 22 and I would like to control the comunication ports of the connection. In fact the number of user is small so it would be enough just to have a few ports open. Is there any possibility to tell the ssh-daemon on which port he should reply to the client ??? thanks a lot, ... ...niels. -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
Niels Kueck wrote:
Is there any possibility to tell the ssh-daemon on which port he should reply to the client ???
the "ssh"-Client has an Option for using privileged ports clientside. Enforcing this via iptables/ipchains is possible, but I can see only very little gains in this pattern. Your ssh-daemon talks always from its listening port ("Port" in config) to a dynamic port on the client-side. What are your concerns? If it is possible, use tcp-wrappers Client IP restrictions in /etc/hosts.allow/.deny. Don't permit root-logins. Don't use password authentication (Setup authorized_keys and test before you turn off). Use passphrase protected private keys (Have a look at ssh-agent). Setup a restrict /etc/ssh/ssh_config (Disallow Port-Forwarding, X-Forwarding, Agent-Forwarding - your Users should use ~/.ssh/config if they don't like putting parameters to outgoing ssh-sessions.) Peter
Hi Niels,
Is there any possibility to tell the ssh-daemon on which port he should reply to the client ???
--> I think you have misunderstood how the SSH protocol works. Remote host: The sshd server is listening on port 22 (you can use "sshd -p xxx" to specify a different port) Client host: The ssh client connects from a port > 1024 on the local machine to port 22 on the server. If you have multiple ssh connections, they all start on a different LOCAL port but end on port 22 of the server. You can use "ssh -p xxx" if the server is not listening on port 22. You should restrict the sshd server to accept connections only from selected IPs by entering them in /etc/hosts.allow Alternatively or in addition, you can add them SSHD configuration file /etc/sshd/sshd_config (see "man sshd_config"). HTH, Armin
* Niels Kueck <n.kueck@gmx.de> [2003-06-26 14:34 +0200]:
Is there any possibility to tell the ssh-daemon on which port he should reply to the client ???
Either start sshd manually with -p <portnumber> or put (multiple, if you like) "Port <portnumber>" or "ListenAddress <your IP adress>:<portnumber>" directives to your /etc/ssh/sshd_config file and restart the ssh service. For details on sshd configuration issues, you can refer to man sshd(8) and sshd_config(5). -- Johannes Franken Professional unix/network development mailto:jfranken@jfranken.de http://www.jfranken.de/
Hi !
Is there any possibility to tell the ssh-daemon on which port he should reply to the client ???
Either start sshd manually with -p <portnumber>
or put (multiple, if you like) "Port <portnumber>" or "ListenAddress <your IP adress>:<portnumber>" directives to your /etc/ssh/sshd_config file and restart the ssh service.
--> This will change the port the ssh SERVER is listening on. But I think Niels was looking for a way to restrict the port the ssh CLIENT is using on the client maschine when initiating the ssh connection to the server. I don't think there's a command-line switch or a configuration file parameter for this. Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
Hi, what exactly do yo want to do? SSHD is always answering on the bound Port (no Port else ;-) So you need only to open server:22. The port on the other Side is always specified by the Client. You lost, if you can`t configure the Client. Dirk Niels Kueck wrote:
Hi,
I've got a SuSE 8.2 system running with a ssh-daemon listening on port 22 and I would like to control the comunication ports of the connection. In fact the number of user is small so it would be enough just to have a few ports open.
Is there any possibility to tell the ssh-daemon on which port he should reply to the client ???
thanks a lot, ...
...niels.
participants (5)
-
Armin Schoech -
Johannes Franken -
Niels Kueck -
Peter Wiersig -
schreiner