kippo's code is going to be less audited than openssh's. do you run kippo as roo...

mfontani · on March 11, 2011

I run it as a dedicated user, on a high port. Port 22 of the router is merely forwarded to the internal high port I use. Sure, I could chroot the thing as well.

gbrindisi · on March 11, 2011

kippo can't be executed as root.

dmm · on March 11, 2011

How does it open a server on a port <1024 without privileged access?

rosser · on March 11, 2011

It probably doesn't.

  # accept traffic to the normal ssh port
  iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
  # accept traffic on the port kippo is listening on
  iptables -A INPUT -i eth0 -p tcp --dport 2222 -j ACCEPT
  # direct traffic inbound on port 22 to port 2222
  iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 22 -j REDIRECT --to-port 2222

Make sure also to add an ACCEPT rule for traffic to whatever port sshd is actually bound to.

cft · on March 12, 2011

http://www.faqs.org/docs/iptables/traversingoftables.html Table nat is traversed <b>before</b> filter table. Therefore, the rule iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT is unnecessary.

gcb · on March 12, 2011

Everyone, hear the post above.

Damn little arrows and imprecise HTC touchscreens... downvoted you by mistake

dmm · on March 11, 2011

That's fine so long as you trust all of the users on your system. Otherwise they could potentially get something running on port 22. Which, so long as you aren't actually sending auth info to 22, probably isn't a big deal.

epochwolf · on March 11, 2011

You use iptables to route port 22 on the external interface to a high port on localhost