embedding sshd into a server

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have a server that, among other things, listens on a socket where
admins can connect to issue commands. Right now it listens on a
configurable IP/port with no authentication. I'd like to secure it.

What I envisioned is, have the server fork and exec an sshd process that
listens on a special port (so it doesn't conflict with the system sshd).

When an ssh clients connects to the special sshd port and authenticates
successfully, here is what I want to happen: instead of opening a shell
or executing a command specified by the client, I want sshd to turn into
a dumb proxy that connects its own stdin/stdout to the client socket.
(The stdin/stdout are already set up as pipes to the parent server process).

Is something like this possible?

Re: embedding sshd into a server

Rather than using a separate, customized sshd, why not just specify as an
subsystem a program that connects to your application server?

  Richard Silverman

Re: embedding sshd into a server

Quoted text here. Click to load it

Yes, probably.  I did something similar by setting up a second ssh
service which forces its users into a special program at login.  
Without going into too much detail, I did the following on a RH9

1. Copy the normal ssh config files to a new "privatessh" config:
     cd /etc/ssh
     cp -p ssh_config privatessh_config
     cp -p sshd_config privatesshd_config
   Then modify the new config files as necessary.
2. Copy the ssh init script:
     cd /etc/rc.d/init.d
     cp -p sshd privatesshd
   and modify as required.
3. Copy the ssh daemon and the pam module:
     cd /usr/sbin
     cp -p sshd privatesshd
     cd /etc/pam.d  
     cp -p sshd privatesshd
   Do not modify.

At this point you have a new, private ssh daemon available.  You can
start it (again, remember this is RH9):
     chkconfig --add privatesshd
     chkconfig --level 2345 privatesshd on
     service privatesshd start
   This should create the necessary keys.

Restricting what the users can do with this new private ssh depends on
changes to the various files that were created, especially the config
and pam files.  A simple way to force a certain command is to change
the location of the authorized keys file (in /etc/privatesshd_config):
     AuthorizedKeysFile     /<somenewpath>/authorized_keys
to a file owned by root, then add a:
phrase to the user's authorized key.  And make sure that the only
authentication method is the authorized key.

There are other ways, also.  You could create a new user for each
admin and make sure that user is forced to a certain command at login
instead of /bin/bash.

ssh is quite a flexible system!  Thank you, OpenSSH developers.


Site Timeline