I would like SSHD to allow just one user, say "remoteuser", deniyng access to everyone else, root also.
can I do it?

anyone know how to config SSHD such way?

thanks in advance
n

here is a link to the openssh manual pages (http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config). You can also acces them man sshd_config
Tha option you want is the AllowUsers. Only the listed users will be allowed to login.

thank you very much!
n

I have created a seperate config file for SSH to run and listen on another port (for example: 5000 RSA connections only). I created a identical init script called sshd-ext in /etc/init.d (Minor Modifications). I created file to call the new config in /etc/syscondif/sshd-ext.

All seems to work fine except I get errors in the security logs. Which I have seen others post on this forum.

Nov 28 12:26:58 vpn sshd[26691]: error: Bind to port 5000 on 0.0.0.0 failed: Address already in use.
Nov 28 12:35:42 vpn sshd[26691]: Received signal 15; terminating.

I edited the conf file and specified the IP Address of the interface to use for this config:

Port 5000
#Protocol 2,1
ListenAddress 10.200.16.10
#ListenAddress 0.0.0.0
#ListenAddress ::

I verified the original sshd_confid was only listening on 0.0.0.0 and not ::

The problem is ssh seems to use the same PID for both processes and always wants to bind on port 22 for some reason. If I restart one of the processes it can and sometimes does kill the other process.

service sshd restart will kill the process started as sshd-ext.

I also run the same config on FC1 and I have do not have these issues.

See version and intit scripts below:

[root@vpn root]# rpm -qa |grep ssh
openssh-askpass-3.6.1p2-34
openssh-3.6.1p2-34
openssh-clients-3.6.1p2-34
openssh-askpass-gnome-3.6.1p2-34
openssh-server-3.6.1p2-34
[root@vpn root]#

[root@vpn root]# cat /etc/init.d/sshd-ext
#!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd-ext.pid

# source function library
. /etc/rc.d/init.d/functions

# pull in sysconfig settings
[ -f /etc/sysconfig/sshd-ext ] && . /etc/sysconfig/sshd-ext

RETVAL=0
prog="sshd"

# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
PID_FILE=/var/run/sshd-ext.pid

do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
echo -n $"Generating SSH1 RSA host key: "
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
success $"RSA1 key generation"
echo
else
failure $"RSA1 key generation"
echo
exit 1
fi
fi
}

do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n $"Generating SSH2 RSA host key: "
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
success $"RSA key generation"
echo
else
failure $"RSA key generation"
echo
exit 1
fi
fi
}

do_dsa_keygen() {
if [ ! -s $DSA_KEY ]; then
echo -n $"Generating SSH2 DSA host key: "
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub
success $"DSA key generation"
echo
else
failure $"DSA key generation"
echo
exit 1
fi
fi
}

do_restart_sanity_check()
{
$SSHD -t
RETVAL=$?
if [ ! "$RETVAL" = 0 ]; then
failure $"Configuration file or keys are invalid"
echo
fi
}

start()
{
# Create keys if necessary
do_rsa1_keygen
do_rsa_keygen
do_dsa_keygen

echo -n $"Starting $prog:"
initlog -c "$SSHD $OPTIONS" && success || failure
RETVAL=$?
[ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd-ext
echo
}

stop()
{
echo -n $"Stopping $prog:"
killproc $SSHD -TERM
RETVAL=$?
[ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd-ext
echo
}

reload()
{
echo -n $"Reloading $prog:"
killproc $SSHD -HUP
RETVAL=$?
echo
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
condrestart)
if [ -f /var/lock/subsys/sshd-ext ] ; then
do_restart_sanity_check
if [ "$RETVAL" = 0 ] ; then
stop
# avoid race
sleep 3
start
fi
fi
;;
status)
status $SSHD
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
RETVAL=1
esac
exit $RETVAL
[root@vpn root]#

/etc/ssh/sshd_config
add
AllowUsers remoteusers

I resolved the issue(s), the default init script that starts and stops sshd has some issues if you are running more than one instance of ssh. There is a variable for the pid that never gets called and is not set by the init script:

PID_FILE=/var/run/sshd-ext.pid

You need to add this to the conf file to get it to create another pid file for the second process.

PIDFILE /var/run/sshd-ext.pid

Second the script does not use the pid to kill the process. It kills everything running the binary.

echo -n $"Stopping $prog:"
killproc $SSHD -TERM

I am not a shell script expert so to fix this problem i made a copy of the sshd binary called sshd-ext. Modified the above script so that it called sshd-ext for the binary for all instances.

Then I had a issue with pam so i copied /etc/pam.d/sshd to /etc/pam.d/sshd-ext.

Last, the errors in the logs about binding were resolved by putting the interface address in and and stopping IP6 from loading.

The problem is resolved however I still think the better solution would have been to fix the init script.

John