Joshua Feather wrote:
> I'm curious if anyone knows of a way to configure openssh on a
> Solaris(8/9) and Linux system (RH4) to use port 22 for ssh and 522 for
> sftp usikng only one installed client rather that installing seperate
> instances to utilize seperate ports...any help woul dbe greatly
> appreciated!


There are a few 'solutions' but these will require that you have separate sshd
instances and id's for both sftp and ssh for every user. ie: as someone else
pinted out, use two separate config files conf22 and conf522.

Essentially you have to use separate userids on these systems so that userA-ssh
is 'locked' inside a restricted shell (eg:rbash) such that they cannot use sftp
or other file copying utilities (this is not trivial... esp if they need access
to editors, etc). The other account (userA-sftp) uses either rssh or scponly
as the 'shell' and so cannot login interactively using that account.

Finally add user*-ssh to group sshAllow and user*-sftp to sftpAllow, then use
Deny/AllowGroup in the relevant sshd_config to prevent users gaining access to
the other sshd (they are the same process after all and without this step they
can still login using the other process and matching id...)

eg:
userA-ssh member of sshAllow
userA-sftp member of sftpAllow

in sshd_config22:
DenyGroups sftpAllow
AllowGroups sshAllow

and in sshd_config522:
DenyGroups sshAllow
AllowGroups sftpAllow

But, as I said, it's not bulletproof (can be v difficult to lock users down
depending on what other access they require to the system), requires multiple
userids/person (never good for auditing), in some cases users may need to
remember multiple pwds or other tokens*, auditing requires extra steps to
'normalise' the user access, etc etc.

*That said, the users could use the same keypair for both accounts, and so
login to either system with the one identity file...policies permitting.

I haven't checked the order in which sshd checks the config - for users that
have both groups configured, does openssh process the deny first, or the allow,
or in the order specified in the file? Maybe just use the Deny option to
forbid users in that category from using the wrong sshd instance... ie:test
whatever you implement to ensure it does what you'd expect...

rssh: http://www.pizzashack.org/rssh/
scponly: http://www.sublimation.org/scponly/


--
g'luck
brian