| geodb27 | People hi ! For my custom needs, I need to run a second sshd server aside the default one. What would be the prefered way to do so ? The ubuntu18.04 server machine I need this on runs systemd, should I write my own systemd service file ? | 09:18 |
|---|---|---|
| rbasak | geodb27: I think it depends on the reason you need it. COuld you elaborate? | 09:33 |
| geodb27 | Thanks for your answer rbasak. I need a specific ssh on which to connect, only with key auth for certain users that would not allow shell access but only use the "forceCommand" config parameter to be used. | 09:35 |
| geodb27 | I can't modify the running and main sshd process. It should be aside for security reasons. | 09:36 |
| rbasak | You know you can do that with a Match directive on the main sshd process, right? | 09:37 |
| rbasak | Why can't you modify the main one? | 09:37 |
| geodb27 | Indeed I could. But this would enforce the forceCommand for all users and would restrict what can be done. The main process suits my needs : users can ssh, scp, rsync, sftp and so on. I don't want to alter that. | 09:39 |
| rbasak | geodb27: no, that's not right. You can use the Match directive in sshd_config to limit a ForceCommand to a specific set of users or groups. | 09:46 |
| rbasak | geodb27: in answer to your original question, I think you'd have to write a separate systemd service file, but you'd also have to carefully write an sshd_config that avoids using any state directories that would conflict with the main sshd process. | 09:47 |
| rbasak | I remember someone else doing something similar though for different reasons having quite a bit of trouble with that. | 09:48 |
| rbasak | I believe it's possible, but I think you'll have a much easier time of it, and less to maintain, if you can configure what you need with Match instead. | 09:49 |
| geodb27 | Thanks rbasak for answering my first question :-) I'll look for it. The main idea is to leave things untouched for now and have something else aside. Let me explain a bit more if you want : | 09:49 |
| geodb27 | My users are used ton connect to this server via every way I quoted above and I don't want to change anything. | 09:50 |
| geodb27 | However, I have a special user on this machine that I'd like to be abble to launch in place of some of the users (and not all) one specific command (mainly rsync -av $HOME other_server:HOME). You could say that each user can do that, and indeed, they can, but that is not the point. | 09:51 |
| rbasak | geodb27: so I'd add a Match directive for just that special user with its ForceCommand | 09:55 |
| rbasak | That won't intefere with sshd configuration for any other user | 09:55 |
| rbasak | And it won't increase the exposed surface for security, unlike adding an additional sshd process with its own entirely separate configuration | 09:56 |
| geodb27 | I think that I mis-explained something. Never mind, I've successfully made what I wanted. If you want, I can show in a pastebin how I did it. | 09:58 |
| geodb27 | http://dpaste.com/214THCR There we are. You might well better understand my needs. This setup works fine for me. | 10:26 |
| rbasak | Oh, I see. | 11:18 |
| rbasak | I would still resist doing it by adding an extra sshd instance, but I agree that you can't just use a Match directive to achieve that as I suggested. | 11:19 |
| geodb27 | I It will suit my needs, and much more, it'll solve another similar problem that I'll face later on with another server. Still, it looks secure enough and I don't think that ssh will add much overload to the machines. | 13:22 |
| === StathisA- is now known as StathisA | ||
| === Xbert is now known as Guest30655 | ||
| === StathisA- is now known as StathisA | ||
| === StathisA- is now known as StathisA | ||
| azx | Hello where can i learn how to work with and configure rackmount hardware | 20:22 |
| lordcirth_ | azx, Try #ubuntu-offtopic | 20:23 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!