Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] How can sshd be turned off and on via a browser on a suse distro?
  • From: David Smith <dsmith@xxxxxxxxxxxxxxxxxxxx>
  • Date: Mon, 3 Dec 2001 21:05:22 +0000
  • Message-id: <20011203210522.Q12771@xxxxxxxxxx>
On Mon, Dec 03, 2001 at 10:23:31AM -0800, phil wrote:
> I have been trying to figure out how to get sshd to start and stop via a
> browser. If I call rcsshd stop or rcsshd start from a cgi script it won't
> find the keys.
> In general I have the cgi script call sshd like so:
> if variable = variable
> then
> system rcsshd start
> else
> system rcsshd stop
> there's a little more to it than that (obviously), and I know it can work, I
> just can't get suse to cooperate.
> I've tried calling sshd from /etc/ssh, from /usr/sbin etc none of these
> methods will seem to work

Your web server is probably running in a chroot jail. It is also probably
not running as root (and rcxxx scripts need to be run as root (or with
sudo or similar) if you want them to work, you will probably need to remove
the chroot from your webserver, which opens up more security holes. If you
know the IP (or range of IPs) from which you are likely to want to use an
SSH connection, then you can use the firewall script to restrict which
machines are allowed to connect to sshd.

> The reasons I wish to do this:
> 1. crackers won't see a port open when they scan.
> 2. the html page for controling sshd can be obscured.
> eg.
> http://somewhere/lkjsfkjsfljsdfh/123987kjghkjhdfgkh/lkjsdflkjsldfkjlskdjf.cgi

Password would be transferred over the 'net in plaintext unless you use https.

> Future idea:
> Doing the same for ftpd.

Unless you need the ftp protocol, I'd use scp instead.

> Need to somehow write a fresh inet.d and HUP it somehow... ?

Perhaps iptables might be able to do something like opening up the ssh port
after a particular sequence of ports are opened by the same IP address?
Just a guess.

Alternatively, I'd just stick with ssh and keep it up-to-date (which is what
I do, although I don't need ssh access at the moment, so I've closed off the
port until I get time to update sshd).


< Previous Next >