I started a new SSH daemon with a config file with a non-standard port number. Now if I start the SSHD as sudo I can SSH onto the host but if i start as a different system account, the daemon starts but the connections fail. Does the SSHD always need to be started as root ?
I made sure the SSHD is running, it just doesnt accept connections.
It is not practical to run sshd as non-root. sshd needs root privileges for
password authentication (only root can access /etc/shadow)
binding to a port that is below 1024
calling setuid() in order to obtain the privileges of the user that has connected
If you use an unprivileged port and key-based only auth, you may be able to make it work, but you'll be restricted to connections with the user that is running sshd.
There is a relevant discussion here: http://seclists.org/basics/2003/Aug/564
Which port did you use? Ports below 1024 are privileged to Root only.
Related
I created a compute engine which has these network tags and firewall rules:
So if I understand this correctly, the machine is allowed to listen on port 80.
I installed node and created a really simple http server just to see if I can reach the box via http. Logged in via ssh on cloud console. When I try to start it (e.g. npm start to run the server), it says:
Error: listen EACCES: permission denied 0.0.0.0:80
Why? How to resolve?
I read somewhere that low port #s are usually restricted to root user, so I tried sudo it says sudo: npm: command not found and similar for sudo node.
Also why is that when you create a server using scripts like these, the article says they are executed as root? How does that happen and why am I not executing as root when I'm the one who booted up the machine and logged in as myself? Yes, my understanding of linux perms is very newbie.
Thanks...
In order to use TCP ports lower than 1024 you node server must run with root privileges. TCP ports 1024 and higher do not require privilege.
When you login to a Google Cloud Compute Engine instance, you are loggin in as a normal user. You do not have root privilege. To grant root privilege to a command, prefix it with sudo. Example: sudo mkdir /directoryname.
I do NOT recommend running node servers with root privilege. This opens a possibly serious security hole in your system. Search the Internet on this topic before deciding.
Your choices are:
Select a port above 1023. Common port numbers: 8000, 8080, 5000.
Start the node server with root privileges: sudo node hello.js
In regards to npm not being found. You will need to modify the environment's PATH variable to include the location of where you installed your node toolset for the user root.
I'm writing a short script to put as a cronjob. The function of the script should be kicking all ssh-entries (all hosts that are connected via ssh on a machine), except a special host (mostly localhost or the host where I'm sitting at). My idea was:
kill -9 $(pgrep -f ssh)
But this kicks all ssh-entries (including the host where I'm sitting at). How can I change the script so that it won't kick the localhost ?
What you can do is deny all ssh connections that are not coming from localhost. Go to /etc/ssh/sshd_config and add a line that says AllowUsers *#localhost, then restart the ssh server. This will allow only users that come from localhost to connect via ssh. You can also use DenyUsers youruser#yourdomain if you want to blacklist specific users or domains. If users that you blacklisted/that are not on your whitelist try to connect, they'll get a Permission denied message.
In a linux-based system¹, I would like to be able to log on using ssh. I need to launch two (or possibly three) different executables, ideally by connecting to different ports.
Ideally I would like to open a couple of different ports, and have sshd launch different executables² depending on which port. How do I set this up? I have looked through the sshd_config, but without finding anything that looks applicable.
Another alternative that came up was to set up different users, and set up the different applications I want to launch as their respective shells.
(What I do not want to do is to have the remote user specify the executable, as in ssh user#host executable.)
Or have I missed any obvious solution?
¹It's a BuildRoot-based embedded system, running on fairly meager resources, but it's a fully-fledged recent Linux kernel and I have a working ssh connection.
²They are interactive CLI-based programs.
Most linux systems use the OpenSSH server. It looks like you can get this behavior using the Match directive. Documentation for the SSH server configuration file is here.
First, you have to make sshd listen for connections on the additional ports that you want to use. You can do this through either the Port or ListenAddress directives.
Port 22 -- Listen on the normal port 22
Port 42 -- Also listen on port 42
ListenAddress 1.2.3.4:62 -- Also listen on address 1.2.3.4, port 62
Then, you can use the Match and ForceCommand directives to take special actions for users connecting to a particular port:
Match LocalPort 42
ForceCommand /usr/local/bin/the-42-app
Match LocalPort 62
ForceCommand /usr/local/bin/the-62-app
For people who don't want to set the ssh server to listen on multiple ports, there are two other ways to make the server run "canned" apps depending on how the the user connects.
Subsystems
A subsystem is a command that's pre-configured into the server. Clients request to run the subsystem by name, and the server runs the command associated with the subsystem. This avoids the client having to know the exact command to run.
You configure subsystems in sshd by adding a line like this to sshd_config:
Subsystem someApp /usr/local/bin/someApp
Then the client calls it like this:
ssh user#host -s someApp -- "-s" means to request a subsystem
Forced Commands on Keys
For key-based authentication, sshd permits you to force a particular command to run when a particular key is used. This is done in the authorized_keys file which is documented here.
Each line of an authorized_keys file normally starts like this:
ssh-rsa AAAAB3N...
You can prepend an options field to the line. One of the options you can specify is a command to run when the key is used to authenticate:
command="/usr/local/bin/someApp" ssh-rsa AAAAB3N...
When that key is used to authenticate, the server will ignore whatever command the client requests to run, and run the specified command instead.
You can configure SSH server to listen on multiple ports. Just add additional ports in sshd_config like this:
Port 22
Port 1111
Port 2222
In open source project,project open, I'm trying to run the server on port 80 for http and 443 for https which gave an error
[-nssock:driver-] Error: nssock: failed to listen on 0.0.0.0:80: Permission denied
and also is there anything else required to enable https port(like certification,etc)
Are there any other applications which already used the port 80? run below command to find out what applicaiton use the resource
netstat -an |grep "\.80 "
lsof -i:80
Probably you are trying to run AolServer as non-root user, but AolServer is configured to use "privileged" ports 80 and 443 (ports below 1024 are "privileged").
You may either configure your system to allow non-root process to bind to "privileged" ports, or just run AolServer as root. For the first approach also check discussion of the capabilities system.
i've got another question for you.
I have Amazon EC2 instance with mondodb installed.
It works great except one thing - i can't access (connect to) it from outside (my PC).
I think the problem with Security Groups. It's some sort of default firewall.
Does anyone know how to configure EC2 instance to have access to mongodb?
Thanks in advance.
Think carefully before doing this. If you open the ports, make sure you restrict the IP numbers that can access it, otherwise anyone will be able to access your database. You can enable authentication in MongoDB, but it's not particularly safe, just a username and password. You should not have your database open to the internet, it is not a good idea.
A better way than opening up ports in the EC2 firewall is to open an SSH tunnel an forward the port, this makes sure that only you can access the database, and only while the SSH tunnel is active.
Open up a new terminal and run this command (replacing user and host with the user you use when SSH'ing to your server and the name of the server):
ssh user#host -N -L 27017:127.0.0.1:27017
The command will forward the port 27017 on your computer to the same port on the server. To connect to the MongoDB instance simply run mongo in a terminal (if that doesn't work, try mongo --host 127.0.0.1 or even mongo --host 127.0.0.1 --port 27017).
If you run MongoDB on your local machine you will have to change the first port, since the local server is already using it. In that case run this command instead:
ssh user#host -N -L 27018:127.0.0.1:27017
and then connect with
mongo --port 27018
(possibly adding --host 127.0.0.1 if it doesn't work).
When you're done working with the database, exit mongo and press ctrl-C in the terminal with the SSH command.
You need to add a security group exception for the port 27017 if you are using default config for you to access it from outside. For security group configuration, please check the amazon EC2 documentation. And if you are using a different port on Mongo, change the security group port accordingly.
--Sai
Is your EC2 instance a Windows server by any chance? If so, in addition to EC2's Security Groups you also need to configure Windows Firewall to allow the incoming connection.
Go To Administrative Tools, Windows Firewall with Advanced Security, and configure a new Rule that allows incoming connections on port 27017 (the default mongo port) or whatever port you've chosen.