我有以下任务:
- 配置 ssh 服务以便用户特别的无法通过它连接。
- 在端口 2222 上打开一个 ssh 服务器,监听 127.0.0.1。限制此服务,以便只有用户特别的可以连接。最好为此创建一个服务。
我的方法基于https://askubuntu.com/questions/324503/2-sshd-configurations-1-for-internal-and-1-external
- 修改
/etc/ssh/sshd_config
添加DenyUsers special
- 修改
/etc/ssh/sshd_config_external
设置Port 2222
和ListenAddress 127.0.0.1
- 创建
/lib/systemd/system/sshd-external.service
并修改它以包含新配置ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -f /etc/ssh/sshd_config_external
发布内容sshd.service
:
[root@bastion 0 ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2020-09-19 12:54:16 UTC; 19min ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 1418 (sshd)
CGroup: /system.slice/sshd.service
└─1418 /usr/sbin/sshd -D
Sep 19 12:54:16 bastion.7eca.example.opentlc.com systemd[1]: Starting OpenSSH server daemon...
Sep 19 12:54:16 bastion.7eca.example.opentlc.com sshd[1418]: Server listening on 0.0.0.0 port 22.
Sep 19 12:54:16 bastion.7eca.example.opentlc.com sshd[1418]: Server listening on :: port 22.
Sep 19 12:54:16 bastion.7eca.example.opentlc.com systemd[1]: Started OpenSSH server daemon.
Sep 19 12:54:30 bastion.7eca.example.opentlc.com sshd[1884]: Accepted publickey for hesteban-redhat.com from 88.128.92.150 port 40092 ssh2: RSA SHA256:sWujd4yvXg62et5LzOAR7BhMGvQ5+vBNSUrgrVdUdEs
Sep 19 12:55:48 bastion.7eca.example.opentlc.com sshd[1929]: Received disconnect from 222.186.30.35 port 58344:11: [preauth]
Sep 19 12:55:48 bastion.7eca.example.opentlc.com sshd[1929]: Disconnected from 222.186.30.35 port 58344 [preauth]
Sep 19 13:13:52 bastion.7eca.example.opentlc.com sshd[2219]: Received disconnect from 222.186.42.155 port 10630:11: [preauth]
Sep 19 13:13:52 bastion.7eca.example.opentlc.com sshd[2219]: Disconnected from 222.186.42.155 port 10630 [preauth]
但问题出现在我启动sshd-extended.service
[root@bastion 0 ~]# systemctl start sshd-external
Job for sshd-external.service failed because a timeout was exceeded. See "systemctl status sshd-external.service" and "journalctl -xe" for details.
[root@bastion 0 ~]# journalctl -xe
-- Unit sshd-external.service has begun starting up.
Sep 21 07:16:41 bastion.7eca.example.opentlc.com sshd[2228]: error: Bind to port 2222 on 127.0.0.1 failed: Permission denied.
Sep 21 07:16:41 bastion.7eca.example.opentlc.com sshd[2228]: fatal: Cannot bind any address.
Sep 21 07:16:41 bastion.7eca.example.opentlc.com systemd[1]: sshd-external.service: main process exited, code=exited, status=255/n/a
Sep 21 07:16:41 bastion.7eca.example.opentlc.com systemd[1]: Failed to start OpenSSH server daemon.
-- Subject: Unit sshd-external.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sshd-external.service has failed.
然后,如果我再试一次,问题就说 127.0.0.1 端口 2222 已被使用
编辑
是sshd-extended.service
:
[root@bastion 0 ~]# cat /lib/systemd/system/sshd-external.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service
[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS -f /etc/ssh/sshd_config_external
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target