mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elijah baley <e_ba...@outlook.com>
Subject RE: Partial Disabling of port 22 using apache-mina SSHD
Date Tue, 21 Jun 2016 18:17:56 GMT
The topic is too wide to cover in a short mail message - I suggest you look into the code of
Apache MINA SSHD (https://github.com/apache/mina-sshd) especially the tests where you will
find many examples how to achieve anything you like. However, here are the basics (for client
side):
- Initialize an SshClient instance- Use that instance to open a session to your server- Provide
username/password or private key and authenticate the session- Once you have the session authenticated
there are many choices open to you:
    * Open a "shell" channel and run interactive commands    * Open an "exec" channel and
run a single command    * Obtain an SftpClient instance and access remote files    * Obtain
an ScpClient instance and upload/download files    * Create a local/remote tunnel    * Clean
up/close the resources you opened once no longer needed (note: the SshClient should be stopped/closed
once your application no longer needs to access SSH servers - usually on application exit...).
All this and more using the session you just obtained, or (if you like/need) create a new
session for each usage - there are advatanges and disadvantages to each approach. There are
many details to take into account, but if you don't have any special requirements then the
defaults you get should be good enough. The vast majority of the APIs have Javadoc that should
help make sense of the options - again, I recommend you look at how the tests are coded -
there are very good chances you will find a suitable example similar to what you want to achieve.
The same applies for the server side, although it is a bit tricker...Hope this gives you a
good lead how to proceed.

> Date: Tue, 21 Jun 2016 22:45:57 +0530
> Subject: RE: Partial Disabling of port 22 using apache-mina SSHD
> From: jain.garima88@gmail.com
> To: dev@mina.apache.org
> 
> Hey,
> 
> What shell commands can be executed and how? Or how to provide tunnel?
> Can you provide sample code for the same?
> 
> Any methods from sftp class?
> 
> -Garima Jain
> On Jun 21, 2016 10:02 PM, "elijah baley" <e_baley@outlook.com> wrote:
> 
> > No, SFTP is not a protocol that runs on a specific port it is a
> > sub-protocol (actually a subsystem) of SSH. FYI, SSH enables opening
> > multiple channels on the same session. You can run shell commands (what
> > many mistakenly call SSH) SFTP and SCP as well as tunnels concurrently on
> > the same SSH session. The port is always 22 (SSH) for SFTP and SCP (and any
> > other channel - e.g. PROXY, SOCKS, etc...)..
> >
> > > From: jain.garima88@gmail.com
> > > Date: Tue, 21 Jun 2016 11:42:58 +0530
> > > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> > > To: dev@mina.apache.org
> > >
> > > Can I keep the port open for sftp and close for ssh?
> > >
> > > -Garima Jain.
> > >
> > > On Mon, Jun 20, 2016 at 10:33 PM, garima jain <jain.garima88@gmail.com>
> > > wrote:
> > >
> > > > Thanks. Will use that.
> > > >
> > > > -Garima Jain
> > > > On Jun 20, 2016 10:31 PM, "Ashish" <paliwalashish@gmail.com> wrote:
> > > >
> > > >> On Mon, Jun 20, 2016 at 9:43 AM, garima jain <jain.garima88@gmail.com
> > >
> > > >> wrote:
> > > >> > Can we use black list/whitelist feature?
> > > >>
> > > >> This is what you should use.
> > > >>
> > > >> >
> > > >> > -Garima Jain
> > > >> > On Jun 20, 2016 10:12 PM, "elijah baley" <e_baley@outlook.com>
> > wrote:
> > > >> >
> > > >> >> There are many options - depending on the actual setup:
> > > >> >> - You can move SSHD to a non-standard port on all interfaces
-
> > easy to
> > > >> do
> > > >> >> when setting up the server - just call "setPort" on the SshServer
> > > >> instance-
> > > >> >> You can bind SSHD to a specific interface (e.g., 127.0.0.1)om
port
> > 22
> > > >> and
> > > >> >> bind SFTP to the public interface on port 22 - easy to do
just call
> > > >> >> "setAddress" (or something to that effect)  on the SshServer
> > instance
> > > >> >> I could think of more exotic options - e.g. similar to sslh,
using
> > > >> >> HAPROXY, etc., etc.
> > > >> >> > From: jain.garima88@gmail.com
> > > >> >> > Date: Mon, 20 Jun 2016 12:10:26 +0530
> > > >> >> > Subject: Re: Partial Disabling of port 22 using apache-mina
SSHD
> > > >> >> > To: dev@mina.apache.org
> > > >> >> >
> > > >> >> > Hi elijah,
> > > >> >> >
> > > >> >> > The requirement is to block port 22 for SSH and accept
SFTP
> > > >> connections
> > > >> >> on
> > > >> >> > Port 22. Is there a class/method that can help us achieve
the
> > aim?
> > > >> >> >
> > > >> >> > -Garima Jain.
> > > >> >> >
> > > >> >> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <
> > e_baley@outlook.com>
> > > >> >> wrote:
> > > >> >> >
> > > >> >> > > Is there some reason your code cannot examine the
incoming
> > client
> > > >> >> address
> > > >> >> > > and reject it if it does not match some specified
criteria
> > (e.g.,
> > > >> mask,
> > > >> >> > > network, closed group of IPs - whatever...) ?
> > > >> >> > >
> > > >> >> > > > From: jain.garima88@gmail.com
> > > >> >> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530
> > > >> >> > > > Subject: Partial Disabling of port 22 using
apache-mina SSHD
> > > >> >> > > > To: dev@mina.apache.org
> > > >> >> > > >
> > > >> >> > > > Hi,
> > > >> >> > > >
> > > >> >> > > >
> > > >> >> > > >
> > > >> >> > > > We are using com.springsource.org.apache.mina-1.0.2.jar
 in
> > our
> > > >> >> product.
> > > >> >> > > > The requirement is to disable port 22 for
all incoming
> > traffic
> > > >> over
> > > >> >> SSH
> > > >> >> > > but
> > > >> >> > > > the same port is required to communicate with
few IP’s over
> > 22.
> > > >> Is
> > > >> >> there
> > > >> >> > > a
> > > >> >> > > > way to handle selective port blocking?
> > > >> >> > > >
> > > >> >> > > >
> > > >> >> > > > -Garima Jain.
> > > >> >> > >
> > > >> >> > >
> > > >> >>
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> thanks
> > > >> ashish
> > > >>
> > > >> Blog: http://www.ashishpaliwal.com/blog
> > > >> My Photo Galleries: http://www.pbase.com/ashishpaliwal
> > > >>
> > > >
> >
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message