Thread: Running multiple sshd instances on one server
View Single Post
  #2  
Old 03-19-2008, 02:23 PM
unix unix is offline
Junior Member
  
Join Date: Sep 2009
Posts: 0
Default Re: Running multiple sshd instances on one server
On Wed, 19 Mar 2008 06:01:14 -0700 (PDT), ss11223@gmail.com wrote:
> I am running a system that has a NAT firewall on it with two IP
> addresses, one on the outside
> internet, and one on an internal network. This is a debian stable
> system.

> I want to have different login criteria for the internal network
> (passwords allowed) and the
> external network (key based only) and different allowd user lists for
> each. I conjecture that the
> only way to do this is to run two instances of sshd with different
> config files. Is there anything
> in ssh that would prevent me from doing this? Has anyone tried this
> and have any pointers
> or gotcha's to look out for.

I've run two separate sshd daemons. The instructions below,
which I've posted a few times before, pertain to RedHat-style
systems (RHEL, Fedora, CentOS, and so on). You'll have to
translate them for your debian system.

=====
I suggest the following procedure, which will give you two distinct
ssh daemons, each with its own policies. These instructions pertain
to Redhat-style systems, your file paths might vary.

Let's assume you already have ssh set up to listen on one NIC
with the policies you want. Then, without too much detail:

1. cp -p /etc/ssh/ssh_config /etc/ssh/otherssh_config
Modify the new file as necessary for the policy you want.

2. cp -p /etc/ssh/sshd_config /etc/ssh/othersshd_config
Modify the new file as necessary. Most importantly, look
at ListenAddress and Port.

3. cp -p /etc/rc.d/init.d/sshd /etc/rc.d/init.d/othersshd
Modify the new file to point to otherssh wherever
the old file pointed to ssh. This includes
executables, config files, pid files and key files, for
example.

4. cd /usr/sbin/
ln -s sshd othersshd
No changes to the executable

5. cd /etc/pam.d/
ln -s sshd othersshd
No changes to the PAM module, usually

Then when all the changes are done:
6. chkconfig --add othersshd
chkconfig --list | grep othersshd
Should be on in levels 2345
service othersshd start
This should create a new set of keys.

One drawback to this scheme: if you ever update ssh, it might change
the config files or sshd init file, but it won't touch the
otherssh files.
=====

--
Dale Dellutri (lose the Q's)
Reply With Quote