Run multiple instances of OpenSSH on one server

Instructions

Why would you want to run multiple instances of OpenSSH on one server? One common answer is to have an internal and external instances of ssh. That was each one could have different configurations and security.

I’m using Ubuntu 10.04 for this guide, some things may be different on other distribution of Linux.

Binary

The first step is to create a symbolic link to sshd, which is located at /usr/sbin/sshd. By creating a symbolic link, sshd will automatically stay update when OpenSSH is update through aptitude.

The below command will create a symbolic link to sshd in the same directory as the original binary

sudo ls -s /usr/sbin/sshd /usr/sbin/sshd2

Configuration

The second step is to create a copy of the original configuration file, which is located at/etc/ssh/sshd_config. By creating a copy, we can set different options for each instances of sshd.

The below command will create a copy of the original sshd configuration file in the same directory.

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd2_config

Now we need to edit the new configuration file so that the second instances of sshd runs on a different port from the original.

The below command will open the new sshd configuration file for editing in vi.

sudo vi /etc/ssh/sshd2_config

In order to make the new instances of sshd run on a different port, change the following line to the configuration file to reflect the line below (changes are marked in bold).

Port 2222

Initialization Script

The third step is to create a copy of the initialization script for sshd, which is located at “/etc/init.d/ssh”.

sudo cp /etc/init.d/ssh /etc/init.d/ssh2

Some modifications have to be made to the ssh initialization script in order to make it references and load the instances of sshd. Modify the new ssh initialization script to reflect the one below (changes marked in bold).

test -x /usr/sbin/sshd2 || exit 0
( /usr/sbin/sshd2 -\? 2>&1 | grep -q OpenSSH ) 2> /dev/null || exit 0

check_for_no_start() {
    if [ -e /etc/ssh/sshd2_not_to_be_run ]; then 
    if ! run_by_init; then
        log_action_msg "OpenBSD Secure Shell server not in use (/etc/ssh/sshd2_not_to_be_run)"
    fi
}

check_privsep_dir() {
    if [ ! -d /var/run/sshd2 ]; then
    mkdir /var/run/sshd2
    chmod 0755 /var/run/sshd2
    fi
}

check_config() {
    if [ ! -e /etc/ssh/sshd2_not_to_be_run ]; then
    /usr/sbin/sshd2 $SSHD_OPTS -t || exit 1
    fi
}

case "$1" in
  start)
    if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd2.pid --exec /usr/sbin/sshd2 -- -f /etc/ssh/sshd2_config $SSHD_OPTS; then
        log_end_msg 0
    else
        log_end_msg 1
    fi
    ;;
  stop)
    if start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd2.pid; then
        log_end_msg 0
    else
        log_end_msg 1
    fi
    ;;

  reload|force-reload)
    if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd2.pid --exec /usr/sbin/sshd2 -- -f /etc/ssh/sshd2_config; then
        log_end_msg 0
    else
        log_end_msg 1
    fi
    ;;

  restart)
    start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/sshd2.pid
    if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd2.pid --exec /usr/sbin/sshd2 -- -f /etc/ssh/sshd2_config $SSHD_OPTS; then
        log_end_msg 0
    else
        log_end_msg 1
    fi
    ;;

  try-restart)
    start-stop-daemon --stop --quiet --retry 30 --pidfile /var/run/sshd2.pid
    case $RET in
        if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd2.pid --exec /usr/sbin/sshd2 -- -f /etc/ssh/sshd2_config $SSHD_OPTS; then
            log_end_msg 0
        else
            log_end_msg 1
        fi
    esac
    ;;

  status)
    status_of_proc -p /var/run/sshd2.pid /usr/sbin/sshd2 sshd2 && exit 0 || exit $?
    ;;

  *)
    log_action_msg "Usage: /etc/init.d/ssh2 {start|stop|reload|force-reload|restart|try-restart|status}"
    exit 1
esac

iptables

Now you need to make sure that you open a port in the firewall for the new instances of sshd.

This command will open port 2222 in iptables for inbound TCP traffic.

sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT

Start

Now it is time to start the new instances of sshd

This command will run the new initialization script ssh2.

sudo /etc/init.d/ssh2 start

Conclusion

If everything was successful, you will have two running instances of sshd (sshd and sshd2). You can check this by looking at the running processes.

This command will show running processes that have “ssh” in their name.

ps -e | grep ssh

You should see “sshd” and “sshd2″ in the output of the above command. If you don’t, then double check that you didn’t miss a step. You might also want to check your log files.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s