Subj : Re: Mystic SSHD won't start? Is there an SSH server?
To   : Bradley D. Thornton
From : Tony Langdon
Date : Mon Sep 09 2019 05:14 pm

-=> On 09-08-19 22:02, Bradley D. Thornton wrote to Tony Langdon <=-

 BDT> Yes I enabled the SSH server, and it didn't appear to start. I did a
 BDT> quick restart of mis, checked again, and still nothing - but I think I
 BDT> was just impatient since, when I came back a few minutes later to scan
 BDT> the port saw that it was open, and logged in. Yay! :)

Cool, sounds good. :)

 BDT> It seemed a little funky, as far as how it went through the login
 BDT> process when I tried it (once), but I'll check on it later, I'm sure
 BDT> I've just got to get used to it.

SSH works fine.  I've used it. :)

 BDT> So for now I've got port 23 open for telnet and port 22 open (running
 BDT> Mystic's SSHD). I'm glad that I didn't have to install and run another
 BDT> OpenSSHD and figure out how to pass that through or if it could be
 BDT> done. Like I inferred, although perhaps not clearly enough, I already
 BDT> have SSHD listening on another, non-standard port for regular user
 BDT> access to the host, i.e., there are two SSH daemons listening now,
 BDT> Mystic on 22 and OpenSSH on another :)

Yep I run 3 SSH daemons here:

OpenSSH on port 22 all IPs
Mystic on port 222 on selected IPs
Synchronet on port 222 on a different set of selected IPs. 

:)

 BDT> I start mis as root. Actually, since that part of testing is over now,
 BDT> I start it as the non-priv'd user who owns the dir with a sudo - one of
 BDT> the use cases where I believe in using sudo ;) For that, I don't add
 BDT> the user to the sudo group, because any breakouts could afford a script
 BDT> kiddie to wreak havoc with impunity, so the user running "mis" (Not
 BDT> mystic) is only allowed to run mis.

Using sudo is still "running as root".

 BDT> I try to avoid letting non-privileged users run daemon's on privileged
 BDT> lower ports, but with some software, do sometimes. This isn't one of
 BDT> those times ;)

Umm, why?  Back in the old days, there were lots of users (as in actual people
with individual UNIX accounts) and only one sysadmin.  In that environment, it
makes sense not to allow non root users to bind privileged ports - you wouldn't
want a user taking over the SMTP port, for example.  Today it's more common to
have Linux boxes with only one actual (human) user - the sysadmin, and any
"users" are simply accounts to isolate processes from one another.  Allowing
these users to run a specific application that can bind privileged ports means
they don't have to start the application as root, with a (very) small increased
potential for a root compromise, if a flaw can be triggered before it drops
privileges.

 BDT> Now, that begs another question. If someone breaks out of Mystic...
 BDT> that's always a concern, so what SSH implementation does Mystic use? I
 BDT> ask because I want to know how confident I should be that port 22
 BDT> (Mystic's SSHD) is as secure as OpenSSH is on the host.

I'm not sure tbh.

 BDT> Thanks again! I'm going to work on getting echomail setup tonight
 BDT> later, I think I'll start with Fsxnet. Then Fidonet, Then you won't all
 BDT> have to read messages from me via Rob's server ;)

 BDT> If I'm once again a SysOP, then I should be sending Echomail from my
 BDT> own system lolz.

Yes, it's nice to have your own system running echomail. :)



.... Reality is for those who can't handle computers.
=== MultiMail/Win v0.51
--- SBBSecho 3.03-Linux
 * Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)

.