1

In a linux-based system¹, I would like to be able to log on using ssh. I need to launch two (or possibly three) different executables, ideally by connecting to different ports.

Ideally I would like to open a couple of different ports, and have sshd launch different executables² depending on which port. How do I set this up? I have looked through the sshd_config, but without finding anything that looks applicable.

Another alternative that came up was to set up different users, and set up the different applications I want to launch as their respective shells.

(What I do not want to do is to have the remote user specify the executable, as in ssh user@host executable.)

Or have I missed any obvious solution?

¹It's a BuildRoot-based embedded system, running on fairly meager resources, but it's a fully-fledged recent Linux kernel and I have a working ssh connection.

²They are interactive CLI-based programs.

Popup
  • 341
  • 2
  • 11

2 Answers2

2

Most linux systems use the OpenSSH server. It looks like you can get this behavior using the Match directive. Documentation for the SSH server configuration file is here.

First, you have to make sshd listen for connections on the additional ports that you want to use. You can do this through either the Port or ListenAddress directives.

Port 22       -- Listen on the normal port 22
Port 42       -- Also listen on port 42
ListenAddress 1.2.3.4:62    -- Also listen on address 1.2.3.4, port 62

Then, you can use the Match and ForceCommand directives to take special actions for users connecting to a particular port:

Match LocalPort 42
    ForceCommand /usr/local/bin/the-42-app

Match LocalPort 62
    ForceCommand /usr/local/bin/the-62-app

For people who don't want to set the ssh server to listen on multiple ports, there are two other ways to make the server run "canned" apps depending on how the the user connects.

Subsystems

A subsystem is a command that's pre-configured into the server. Clients request to run the subsystem by name, and the server runs the command associated with the subsystem. This avoids the client having to know the exact command to run.

You configure subsystems in sshd by adding a line like this to sshd_config:

Subsystem someApp /usr/local/bin/someApp

Then the client calls it like this:

ssh user@host -s someApp         -- "-s" means to request a subsystem

Forced Commands on Keys

For key-based authentication, sshd permits you to force a particular command to run when a particular key is used. This is done in the authorized_keys file which is documented here.

Each line of an authorized_keys file normally starts like this:

ssh-rsa AAAAB3N...

You can prepend an options field to the line. One of the options you can specify is a command to run when the key is used to authenticate:

command="/usr/local/bin/someApp" ssh-rsa AAAAB3N...

When that key is used to authenticate, the server will ignore whatever command the client requests to run, and run the specified command instead.

Kenster
  • 23,465
  • 21
  • 80
  • 106
  • Thanks! This is exactly what I'm looking for. I did look through the sshd man page, but didn't realise that the 'match' directive could be used like this. – Popup Aug 15 '16 at 06:34
0

You can configure SSH server to listen on multiple ports. Just add additional ports in sshd_config like this:

Port 22

Port 1111

Port 2222

Shantanu
  • 2,206
  • 18
  • 16
  • Thanks! But how do I tell sshd to launch a different executable depending on what port was used? – Popup Aug 11 '16 at 07:29
  • It should be as simple as "ssh -p 22 user1@server1 date" "ssh -p 1111 user2@server1 df -ah" Or you looking for something else ? – Shantanu Aug 11 '16 at 07:40
  • Well, as I specified in the question, I'd rather not have the user specify the executable explicitly. (For various reasons - not all of them valid.) – Popup Aug 11 '16 at 07:44