[DaleDellutri.com logo.]
DaleDellutri.com
My home on the web.
→Home    ↑Astronomy    →Links    Programming    →Writing

Programming

Running two SSH daemons

I'm running a system that has two NICs: one connects to the internet, the other connects to the lan. I need to SSH in from machines on the internet, and also from other machines on the lan. Of course, I want different policies for these two connections.

The simplest way is to run two SSH daemons, one for each interface. Here's how I set it up on a Redhat-style Linux system, such as RHEL, Fedora, CentOS, and Scientific Linux. The file paths and start-up procedures will be different for other distros.

THE FOLLOWING IS OFFERED WITHOUT WARRANTY OF ANY KIND. THIS IS WHAT I DID, BUT YOU MAY NEED TO DO SOMETHING DIFFERENT. YOU ARE RESPONSIBLE FOR ALL CHANGES TO YOUR SYSTEM. IF IT BREAKS, YOU GET TO FIX IT.

I started with a single SSH daemon set up to listen only on the lan NIC. Then:

  1. I copied the ssh_config file, and modified the new file as necessary for the policy I wanted. 
    # cd /etc/ssh
# cp -p ssh_config otherssh_config
  2. I copied the sshd_config file, and modified the new file as necessary for the policy I wanted. Wherever the old file mentioned ssh<whatever>, I changed it to otherssh<whatever>. I also changed Port, ListenAddress, and other variables. 
    # cd /etc/ssh
# cp -p sshd_config othersshd_config
  3. I copied the init script, and modified the new file to point to otherssh<whatever> wherever the old file pointed to ssh<whatever>. 
    # cd /etc/rc.d/init.d
# cp -p sshd othersshd
  4. I created a soft link to the executable SSH daemon. 
    # cd /usr/sbin/
# ln -s sshd othersshd
  5. I created a soft link to the PAM module. I didn't need to make any changes to this file. If you need to change the PAM module you should copy it instead, then modify the new file. 
    # cd /etc/pam.d/
# ln -s sshd othersshd
  6. When the changes were done, I added the new SSH daemon to the service list and started it. The grep below showed that the service was on in runlevels 2345. Starting the service created a new set of keys as defined in the HostKey lines in othersshd_config. 
    # chkconfig --add othersshd
# chkconfig --list | grep othersshd
# service othersshd start

There is a drawback to this scheme: if "yum update" changes any of the ssh config or init files, I have to manually make similar changes to the files I've copied and modified.

I've been asked why I needed to make a new init file and a new soft link to the executable. There are three reasons. First, some of the subroutines in the init script depend on the executable name being the same as the service name. Second, when I do a "ps" or something else that shows statistics by process, I'd be able to tell which ssh daemon is which. Third, having a new name gives a consistent naming scheme to all components of the new (RedHat-style) service.

[DaleDellutri.com favicon] Web site comments, criticisms and complaints: E-mail: Dale Dellutri .
Copyright 2008 Dale A. Dellutri
Last modified: Wednesday, 27-Aug-2008 16:40:43 EDT